Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 154126 - Insecure world-readable log file creation in /tmp when debug=1
Summary: Insecure world-readable log file creation in /tmp when debug=1
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: postgresql-odbc
Version: fc3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
URL:
Whiteboard:
: 154128 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-07 17:20 UTC by Robin Green
Modified: 2013-07-03 03:05 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-08 21:27:37 UTC


Attachments (Terms of Use)

Description Robin Green 2005-04-07 17:20:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2 Fedora/1.0.2-3

Description of problem:
unixODBC, at least with the postgresql driver (I haven't tried other drivers), creates insecure log files in /tmp when the debug=1 option is set in odbc.ini.

Problems:
1. They contain passwords
2. They are world-readable(!)
3. Their filenames are predictable (mkstemp not used, apparently).

Version-Release number of selected component (if applicable):
unixODBC-2.2.9-1

How reproducible:
Always

Steps to Reproduce:
1. Install a program that uses ODBC.
2. Put debug=1 in /etc/odbc.ini
3. Restart the program that uses ODBC (in my case, "service ldap restart").

Actual Results:  A log file appears in /tmp, like this:

-rw-r--r--  1 ldap    ldap    197307 Apr  7 17:46 mylog_ldap14229.log

It contains the database password in the first few lines. 14229 is the pid of one of the ldap server processes (slapd), and this is not just a coincidence - log filenames are always generated from the pid.

Expected Results:  Either it should refuse to create a log file unless an explicit filename is given, or else I think it should use mkstemp (but still keep the pid in the filename for identification purposes) and set the permissions to -rw-------.

Additional info:

Not sure if this bug is in unixODBC or postgresql.

postgresql-7.4.7-3.FC3.1

Comment 1 Robin Green 2005-04-07 17:23:40 UTC
*** Bug 154128 has been marked as a duplicate of this bug. ***

Comment 2 Tom Lane 2005-04-08 02:50:11 UTC
Actually I'd blame it on postgresql-odbc.  There is a very old version of the PG ODBC driver in the 
unixODBC package, from which we can see that the problem is of long standing ... but I'm not going to 
fix that, rather remove it.  If anything is to be done about this it'll be in postgresql-odbc.

I'll take the question up with the upstream postgresql-odbc maintainers.  Since it's acted like this for so 
long, it seems possible that the behavior is intentional, though I agree that sticking a password into 
such a file doesn't sound like a hot idea.

Comment 3 Matthew Miller 2006-07-10 22:41:14 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 4 Robin Green 2006-07-11 10:22:40 UTC
This is a security bug so reassigning to Fedora Legacy as directed.

Comment 5 Robin Green 2006-07-11 10:25:57 UTC
For some reason this stayed in NEEDINFO state - trying again.

Comment 6 Jesse Keating 2006-08-13 13:49:20 UTC
Tom, have you heard anything from upstream on this issue?

Comment 7 Piotr Drąg 2008-11-08 21:27:37 UTC
Closing Fedora Legacy bugs.


Note You need to log in before you can comment on or make changes to this bug.