Bug#608491: syslog-ng: log file permissions dangerous on kfreebsd-i386

[Steven Chamberlain]

Hi,

bits/typesizes.h reveals that mode_t is u16 on kFreeBSD, rather than u32
on Linux.  So the dummy/rogue value of '-1' that file_perm or dir_perm
are initialised to, would be treated as a valid mode 0xffff.

u16 doesn't allow room for a dummy value any more, so I thought the
cleanest fix would be to define a DEFAULT_FILE_PERM and
DEFAULT_DIR_PERM, and initialise to those instead of -1.  Since the
'mode' variable will always contain something valid, it is no longer
necessary to check that when calling to open() and fchmod().

This is demonstrated in my attached patch, which I've only managed to
build on amd64 yet and not kFreeBSD, so it hasn't been properly tested.

Fortunately the uid/gid types are still u32 on kFreeBSD so there is no
issue with those.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org

diff -Nru syslog-ng-3.1.3.orig/src/affile.c syslog-ng-3.1.3/src/affile.c
--- syslog-ng-3.1.3.orig/src/affile.c	2010-11-05 22:09:24.000000000 +0000
+++ syslog-ng-3.1.3/src/affile.c	2010-12-31 17:01:56.000000000 +0000
@@ -80,7 +80,7 @@
                       NULL);
         }
     }
-  *fd = open(name, flags, mode < 0 ? 0600 : mode);
+  *fd = open(name, flags, mode);
   if (is_pipe && *fd < 0 && errno == ENOENT)
     {
       if (mkfifo(name, 0666) >= 0)
@@ -97,8 +97,7 @@
         fchown(*fd, (uid_t) uid, -1);
       if (gid >= 0)
         fchown(*fd, -1, (gid_t) gid);
-      if (mode >= 0)
-        fchmod(*fd, (mode_t) mode);
+      fchmod(*fd, (mode_t) mode);
     }
   g_process_cap_restore(saved_caps);
   msg_trace("affile_open_file",
@@ -119,7 +118,7 @@
   else
     flags = O_RDONLY | O_NOCTTY | O_NONBLOCK | O_LARGEFILE;
 
-  if (affile_open_file(name, flags, -1, -1, -1, 0, 0, 0, 0, !!(self->flags & AFFILE_PRIVILEGED), !!(self->flags & AFFILE_PIPE), fd))
+  if (affile_open_file(name, flags, -1, -1, AFFILE_DEFAULT_FILE_PERM, 0, 0, AFFILE_DEFAULT_DIR_PERM, 0, !!(self->flags & AFFILE_PRIVILEGED), !!(self->flags & AFFILE_PIPE), fd))
     return TRUE;
   return FALSE;
 }
@@ -764,13 +763,13 @@
     self->file_uid = cfg->file_uid;
   if (self->file_gid == -1)
     self->file_gid = cfg->file_gid;
-  if (self->file_perm == -1)
+  if (self->file_perm == AFFILE_DEFAULT_FILE_PERM)
     self->file_perm = cfg->file_perm;
   if (self->dir_uid == -1)
     self->dir_uid = cfg->dir_uid;
   if (self->dir_gid == -1)
     self->dir_gid = cfg->dir_gid;
-  if (self->dir_perm == -1)
+  if (self->dir_perm == AFFILE_DEFAULT_DIR_PERM)
     self->dir_perm = cfg->dir_perm;
   if (self->time_reap == -1)
     self->time_reap = cfg->time_reap;
@@ -972,9 +971,9 @@
   self->filename_template = log_template_new(NULL, filename);
   self->flags = flags;
   self->file_uid = self->file_gid = -1;
-  self->file_perm = (mode_t) -1;
+  self->file_perm = (mode_t) AFFILE_DEFAULT_FILE_PERM;
   self->dir_uid = self->dir_gid = -1;
-  self->dir_perm = (mode_t) -1;
+  self->dir_perm = (mode_t) AFFILE_DEFAULT_DIR_PERM;
   log_writer_options_defaults(&self->writer_options);
   if (strchr(filename, '$') == NULL)
     {
diff -Nru syslog-ng-3.1.3.orig/src/affile.h syslog-ng-3.1.3/src/affile.h
--- syslog-ng-3.1.3.orig/src/affile.h	2010-05-05 11:01:56.000000000 +0100
+++ syslog-ng-3.1.3/src/affile.h	2010-12-31 17:02:53.000000000 +0000
@@ -35,6 +35,9 @@
 #define AFFILE_FSYNC       0x00000010
 #define AFFILE_PRIVILEGED  0x00000020
 
+#define AFFILE_DEFAULT_FILE_PERM 0600
+#define AFFILE_DEFAULT_DIR_PERM  0700
+
 typedef struct _AFFileSourceDriver
 {
   LogDriver super;