MySQL Router Charm

logrotate template create by default world readable logs

Bug #1993146 reported by DUFOUR Olivier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Router Charm
Fix Committed
Undecided
DUFOUR Olivier
Jammy
Fix Released
Undecided
Unassigned

Bug Description

This is related to CIS hardening deployment.
Logrotated files should not just be readable to the world but they are still created with a default rule of 0644 from logrotate template

This has been seen on :
- Ubuntu : Focal
- Channel : 8.0/stable

ubuntu@juju-068a6d-0-lxd-8:~$ cat /etc/logrotate.d/octavia-mysql-router
/var/lib/mysql/*/log/*.log {
        rotate 9
        notifempty
        size 10M
        create 0644 mysql mysql
        postrotate
        kill -HUP $(pidof mysqlrouter)
        endscript
}

Updating the logrotate template to create files with 0640 should be sufficient since "/var/lib/mysql/*/log" are restricted anyway to mysql user only like here :
root@juju-068a6d-0-lxd-8:~# ls /var/lib/mysql/octavia-mysql-router/log/ -la
total 44
drwx------ 2 mysql mysql 4096 Oct 13 02:52 .
drwx------ 5 mysql mysql 4096 Oct 13 02:54 ..
-rw-r--r-- 1 mysql mysql 29843 Oct 13 06:18 mysqlrouter.log

DUFOUR Olivier (odufourc)
Changed in charm-mysql-router:
assignee: nobody → DUFOUR Olivier (odufourc)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-mysql-router (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-mysql-router/+/861693

Revision history for this message
DUFOUR Olivier (odufourc) wrote :

It seems that mysql-router creates a world readable file during initialisation and doesn't care about umask from the system.

That shouldn't be an issue in the long term since logrotate will make the file disappear and the parent directory is only reachable to mysql user.

The provided fix should be enough to stop CIS complaining about rule 4.4 "Ensure logrotate assigns appropriate permissions".

Tested without issues on Focal and Jammy deployment.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-mysql-router (master)

Reviewed: https://review.opendev.org/c/openstack/charm-mysql-router/+/861693
Committed: https://opendev.org/openstack/charm-mysql-router/commit/cd2738e4a73996058d87d50d397550b60bc06fba
Submitter: "Zuul (22348)"
Branch: master

commit cd2738e4a73996058d87d50d397550b60bc06fba
Author: Olivier Dufour-Cuvillier <email address hidden>
Date: Tue Oct 18 12:19:55 2022 +0900

    Update logrotate template to create 0640 log files

    CIS Hardening will complain if logrotate is configured to
    create world readable log files.
    The directory containing log files has a restricted access
    to mysql user only anyway

    Closes-bug: #1993146
    Change-Id: If346ebb7bdb1839b2ec83d991840b559c5c0c3e4

Changed in charm-mysql-router:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-mysql-router (stable/jammy)

Fix proposed to branch: stable/jammy
Review: https://review.opendev.org/c/openstack/charm-mysql-router/+/862722

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-mysql-router (stable/jammy)

Reviewed: https://review.opendev.org/c/openstack/charm-mysql-router/+/862722
Committed: https://opendev.org/openstack/charm-mysql-router/commit/82aa2fda3844770e6ebb481a2810d47e14bccdf5
Submitter: "Zuul (22348)"
Branch: stable/jammy

commit 82aa2fda3844770e6ebb481a2810d47e14bccdf5
Author: Olivier Dufour-Cuvillier <email address hidden>
Date: Tue Oct 18 12:19:55 2022 +0900

    Update logrotate template to create 0640 log files

    CIS Hardening will complain if logrotate is configured to
    create world readable log files.
    The directory containing log files has a restricted access
    to mysql user only anyway

    Closes-bug: #1993146
    Change-Id: If346ebb7bdb1839b2ec83d991840b559c5c0c3e4
    (cherry picked from commit cd2738e4a73996058d87d50d397550b60bc06fba)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.