Improper Privilege Management in delgan/loguru
Jan 11th 2022
unprivileged user can see log file and sensitive information disclosed
loguru create log file to store the log . Log may contain many sentsitive information like username,password,token,key etc .
So, this log file should not accessed by other user .
But when loguru create log file then file permission is
-rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log which can be access by any user.
In linux system there may be many user with different privileged . but any user can see this log file .
STEP TO RERPODUCE
run bellow code
from loguru import logger data="Data to be logged , password123 is incorrect" #sensitive data logging logger.add("combined.log") #creating log file with insecure permission logger.info(data)
combined.log file will be created with all log information .
check file permission
user@user-xx:~$ ls -lh combined.log -rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log
So, this file has read permission for all system user . Thus any user can read this log file .I see mostly all webserver , logger etc log there info in a file and it is only accessed by current user who created the file . But in this case it has read permission for all user .
You should change the logfile permision to be access only by current user who crated the file or sudo user .