Wrong permissions cause segfault syslog-ng (with TLS configuration)/ error handling
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
syslog-ng (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
System: Ubuntu 14.04 Trusty
Package syslog-ng-core, Version: 3.5.3-1, Arch: amd64 (maybe all)
After sending TLS request (syslog-ng TLS client, Cisco syslog SSL/TLS client, openssl s_client) child process crashes with kernel message:
[155599.792614] syslog-ng[9124]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-
[155602.728656] syslog-ng[10006]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-
[155604.200793] syslog-ng[10011]: segfault at 4 ip 00007f5b978f6544 sp 00007fff7a702be8 error 4 in libsyslog-
This problem occurs when a file server.key or server.cer (in config file syslog-ng.conf) has file permissions (perm: 0400, owner/group: non-root ):
-------
dr-x------. root root .
drwxr-xr-x. root root ..
-r--------. 1000 1000 server.cer
-r--------. root root server.key
-------
config file of server (/etc/syslog-
-------
@version: 3.5
@include "scl.conf"
@include "`scl-root`
# First, set some global options.
options {
flush_lines (0);
time_reopen (10);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (no);
owner("root");
group("adm");
perm(0640);
stats_freq(1);
};
#TCP_TLS
source tls_net {
tcp(ip(0.0.0.0) port(6514)
};
destination d_net {
file(
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
template ("$DATE $FULLHOST $PROGRAM $TAG [$FACILITY.$LEVEL] $MSG\n") );
};
log { source(tls_net); destination(d_net); };
-------
Reproduce the problem:
-------
- create config file (see above)
- create x509 key pair (server.key, server.cer)
- set permision - chmod 400 /etc/syslog-
- set owner/group (for example): chown 1000:1000 /etc/syslog-
- start service syslog-ng
- send TLS request: openssl s_client -connect localhost:6514
- see kernel log (segfault) and log file (no error found in the log files)