Univention Bugzilla – Bug 53858
World readable /var/log/univention/lock_expired_accounts.log
Last modified: 2024-04-29 08:44:03 CEST
*** BEGIN *** ['/bin/bash', '27check_logfiles_univention'] *** *** 01_base/27check_logfiles_univention *** World-readable Univention-specific logfiles *** *** START TIME: 2021-09-30 15:18:20 *** Some potentially sensitive log files are world-readable: -rw-r--r-- 1 root root 7720 Sep 30 14:40 /var/log/univention/lock_expired_accounts.log *** END TIME: 2021-09-30 15:18:20 *** *** TEST DURATION (H:MM:SS.ms): 0:00:00.144165 *** *** END *** 1 *** The log file is created by > management/univention-directory-manager-modules/scripts/lock_expired_accounts:78: ud.init('/var/log/univention/lock_expired_accounts.log', ud.FLUSH, ud.NO_FUNCTION) which is called explicitly by > test/ucs-test/tests/61_udm-users/01_test_udm_users.py:273: subprocess.check_call(['/usr/share/univention-directory-manager-tools/lock_expired_accounts', '--only-last-week']) Previously is also was called from cron: > base/univention-server/debian/changelog:405: * Removed lock_expired_passwords lock_expired_accounts cron job As > 01_base/27check_logfiles_univention is executed before > 61_udm-users/01_test_udm_users.py the "wrong" file permissions are not detected by our regular ucs-test runs. But if the tests are executed in random / reverse order or are re-executed, but discrepancy is detected and reported as a failure. Please fix this the permissions for both 4.4-8 and 5.0-0! +++ This bug was initially created as a clone of Bug #53631 +++
3 years later and still unfixed; also: Some potentially sensitive log files are world-readable: -rw-r--r-- 1 root root 80800 Apr 27 11:17 /var/log/univention/lock_expired_accounts.log -rw-r--r-- 1 root freerad 8422 Apr 28 09:00 /var/log/univention/radius_ntlm_auth.log -rw-r--r-- 1 root root 46 Apr 28 08:17 /var/log/univention/univention-freeradius-sync.log The test should be moved from 01_base/ to 99_end/ to run *after* all testing to find files only created on demand.