Ubuntu
syslog-ng package

Wrong permissions cause segfault syslog-ng (with TLS configuration)/ error handling

Bug #1376207 reported by Branislav Staron
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
syslog-ng (Ubuntu)
New
Undecided
Unassigned

Bug Description

System: Ubuntu 14.04 Trusty
Package syslog-ng-core, Version: 3.5.3-1, Arch: amd64 (maybe all)

After sending TLS request (syslog-ng TLS client, Cisco syslog SSL/TLS client, openssl s_client) child process crashes with kernel message:

[155599.792614] syslog-ng[9124]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-ng-3.5.3.so[7f5b978af000+7e000]
[155602.728656] syslog-ng[10006]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-ng-3.5.3.so[7f5b978af000+7e000]
[155604.200793] syslog-ng[10011]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-ng-3.5.3.so[7f5b978af000+7e000]

This problem occurs when a file server.key or server.cer (in config file syslog-ng.conf) has file permissions (perm: 0400, owner/group: non-root ):
-----------------------------------------------------------
dr-x------. root root .
drwxr-xr-x. root root ..
-r--------. 1000 1000 server.cer
-r--------. root root server.key
-----------------------------------------------------------

config file of server (/etc/syslog-ng/syslog-ng.conf)
---------------------------START---------------------------
@version: 3.5
@include "scl.conf"
@include "`scl-root`/system/tty10.conf"

# First, set some global options.
options {
    flush_lines (0);
    time_reopen (10);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (yes);
    keep_hostname (no);
    owner("root");
    group("adm");
    perm(0640);
    stats_freq(1);
};

#TCP_TLS
source tls_net {
    tcp(ip(0.0.0.0) port(6514)
       tls(key-file("/etc/syslog-ng/ssl/server.key")
           cert-file("/etc/syslog-ng/ssl/server.cer")
           peer-verify(optional-untrusted)));
};

destination d_net {
    file("/var/log/HOSTS/$FULLHOST/$YEAR/$MONTH/$DAY/$FACILITY-$LEVEL.log"
    owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
    template ("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MSG\n") );
};

log { source(tls_net); destination(d_net); };
---------------------------END---------------------------

Reproduce the problem:
-----------------------------------------------------------
- create config file (see above)
- create x509 key pair (server.key, server.cer)
    - set permision - chmod 400 /etc/syslog-ng/ssl/server.*
    - set owner/group (for example): chown 1000:1000 /etc/syslog-ng/ssl/server.cer
- start service syslog-ng
- send TLS request: openssl s_client -connect localhost:6514
- see kernel log (segfault) and log file (no error found in the log files)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.