Ubuntu
ntop package

access.log is owned by root and has write permissions to anyone

Bug #325393 reported by Julien Desfossez
254
Affects Status Importance Assigned to Milestone
ntop
Fix Released
Unknown
ntop (Debian)
Fix Released
Unknown
ntop (Fedora)
Fix Released
Low
ntop (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: ntop

On hardy 8.04 LTS with ntop 3:3.2-10.1, the file /var/log/ntop/access.log has write permissions to anyone.

ls -lh /var/log/ntop/access.log
-rw-rw-rw- 1 root root 0 2009-02-04 11:53 /var/log/ntop/access.log

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug.

Email sent to upstream and vendor-sec, requesting a CRD of 2009-02-25 00:00 UTC. Unless otherwise noted, the bug can be made public after this date.

Changed in ntop:
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Upstream and vendor-sec did not request a different CRD. Marking public.

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

It was reported to Ubuntu that ntop creates the access log world-writable when the --access-log-file option is used.

This option is not used in Fedora or Red Hat by default and is not noted in the configuration file. It is, however, noted in the ntop manpage. It would require the root user to add this option to the configuration in order for this file to be created.

This is a low severity issue.

A possible fix would be the following patch:

--- http.c.org 2009-03-16 16:28:10.000000000 -0700
+++ http.c 2009-03-16 16:27:55.000000000 -0700
@@ -1298,6 +1298,7 @@ void printHTMLtrailer(void) {
 void initAccessLog(void) {

   if(myGlobals.runningPref.accessLogFile) {
+ umask(0137);
     myGlobals.accessLogFd = fopen(myGlobals.runningPref.accessLogFile, "a");
     if(myGlobals.accessLogFd == NULL) {
       traceEvent(CONST_TRACE_ERROR, "Unable to create file %s. Access log is disabled.",

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Forgot to note the Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/ntop/+bug/325393

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ntop-3.3.8-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntop-3.3.8-3.fc10

Revision history for this message
In , Rakesh (rakesh-redhat-bugs) wrote :

Fixed in rawhide and submitted an update to bodhi. Will take some time to reach updates.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Please do not close 'Security Response' bugs that may affect other products as well. Thank you!

Revision history for this message
Andreas Olsson (andol) wrote :

This is by the way still true in the Jaunty version (ntop 3.3-11ubuntu1)

Revision history for this message
Andreas Olsson (andol) wrote :

Fedora seems to fix this by setting a hard coded umask into the source code. Is this an approach we want to take?

It looks as if ntop only insists on creating global writable logs if the option -d (--daemon) is used. Runnong non-daemonized it obeys umask settings just fine.

I experienced the exact same behavior while downloading the latest version from SVN.

@Jamie: While you were in contact with upstream, did they give you a ticket number for this issue? I can't seem to find any in their Trac.

Bug Watch Updater (bug-watch-updater)
Changed in ntop (Fedora):
status: Unknown → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Andreas: upstream never responded. If you or someone else is preparing debdiffs for Ubuntu, it would be great if upstream and Debian were sent the patch as well.

Revision history for this message
Andreas Olsson (andol) wrote :

Reported this upstream. Couldn't find any way to get Launchpad to link against ntop using "Also affects project".

http://www.ntop.org/trac/ticket/75

Bug Watch Updater (bug-watch-updater)
Changed in ntop:
status: Unknown → New
Revision history for this message
In , Rakesh (rakesh-redhat-bugs) wrote :

This has been pushed into stable. Why not close it now ?? Which other products it effects ?? I am confused.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ntop-3.3.8-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Hi, Rakesh. Fedora is not the only product shipping this (EPEL5 and HPC also ship it).

Bug Watch Updater (bug-watch-updater)
Changed in ntop:
status: New → Fix Released
Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Upstream bug:
  http://www.ntop.org/trac/ticket/75

Upstream commit:
  http://www.ntop.org/trac/changeset/3748/trunk

Andreas Moog (ampelbein)
Changed in ntop (Ubuntu):
importance: Undecided → Low
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in ntop (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in ntop (Debian):
status: New → Fix Released
Revision history for this message
Ludovico Cavedon (cavedon) wrote :

Looks like this bug is no longer present in the latest version in Ubuntu.

Thanks for taking the time to report the issue.

Changed in ntop (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in ntop (Fedora):
importance: Unknown → Low
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.