Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail if log file already exists #74

Merged
merged 3 commits into from
Jan 13, 2025
Merged

Fail if log file already exists #74

merged 3 commits into from
Jan 13, 2025

Conversation

chressie
Copy link
Contributor

No description provided.

@chressie
glog: Don't try to create/rotate a given syncBuffer twice in the same…
65d3f26 
… second

If you do, then you truncate the existing file. So logging too much too quickly would lose log data.

cl/709080575 (google-internal)
@chressie
glog: introduce createInDir function as in internal version
f642533
@chressie
glog: have createInDir fail if the file already exists
b874165 
This prevents an attack like the one described
[here](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File#:~:text=On%20Unix%20based,with%20elevated%20permissions.).
An unprivileged attacker could use symlinks to trick a privileged
logging process to follow a symlink from the log dir and write logs over
an arbitrary file.

The components of the log names are program, host, username, tag, date,
time and PID. These are all predictable. It's not at all unusual for the
logdir to be writable by unprivileged users, and one of the fallback
directories (/tmp) traditionally has broad write privs with the sticky
bit set on Unix systems.

As a concrete example, let's say I've got a glog-enabled binary running
as a root cronjob. I can gauge when that cron job will run and then use
a bash script to spray the log dir with glog-looking symlinks to
`/etc/shadow` with predicted times and PIDs. When the cronjob runs, the
`os.Create` call will follow the symlink, truncate `/etc/shadow` and
then fill it with logs.

This change defeats that by setting `O_EXCL`, which will cause the open
call to fail if the file already exists.

Fixes CVE-2024-45339

cl/712795111 (google-internal)
@chressie chressie assigned chressie and stapelberg and unassigned chressie Jan 13, 2025
@stapelberg stapelberg merged commit a0e3c40 into golang:master Jan 13, 2025
1 check passed
@chressie chressie deleted the fail-already-exist branch January 14, 2025 07:02
@tatianab tatianab mentioned this pull request Jan 17, 2025
Closed
@GoVulnBot GoVulnBot mentioned this pull request Jan 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stapelberg stapelberg stapelberg approved these changes

Assignees

@stapelberg stapelberg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chressie @stapelberg