Re: Permissions of log files

2021-01-03 Thread Laurent Bercot 

I think it is possible to achieve this while also respecting the configured 
umask.

What do you think?


 It really does not matter at all, and the log files permissions are
relaxed by default because it gives the user one and only one place to
set the permissions they want: the log directory.



Not respecting the configured umask in s6-log deployments could be regarded as 
a security risk because it has the potential to expose sensitive log file 
content.


 It really should not. s6-log logs to *directories*, not to files, and
when it creates a log directory, its permissions are 0700 by default, so
there is no risk of leaking data. If the admin wants to make the logs
public, they just have to make the directory publicly readable; 
otherwise,

the restricted directory prevents access to the actual files.

 But I suppose having the files o-r would make it easier to transfer
them away from the original log directory, so there's also an argument
for restricting the permissions.

 In the end your idea that the log file permissions should be 
configurable
via the umask is a good one: by default the umask is permissive and 
would

give the current behaviour, and someone who wants to securely transfer
files away from logdirs would set a restrictive umask before running
s6-log. So I will probably make that change. Thanks for the suggestion!

--
 Laurent

Permissions of log files

2021-01-03 Thread Earl Chew via skaware 
I have a question about the behaviour of s6-log as it manipulates the 
file permissions of .../current.


While configuring a deployment with a narrower umask than usual, I 
noticed that .../current would always be world readable despite the 
setting of the umask.


Looking at the source code, I notice lines like this:

https://github.com/skarnet/s6/blob/master/src/daemontools-extras/s6-log.c#L382

I understand the motivation to use the permission bits to signal state 
-- https://skarnet.org/software/s6/s6-log.html


> If current has the executable-by-user flag, it means that no s6-log 
process is currently writing to it and the
> previous s6-log process managed to cleanly finalize it. If it does 
not, either an s6-log process is writing

> to it or the previous one has been interrupted without finalizing it.

I think it is possible to achieve this while also respecting the 
configured umask.


What do you think?

Not respecting the configured umask in s6-log deployments could be 
regarded as a security risk because it has the potential to expose 
sensitive log file content.



Earl