Improper Privilege Management in delgan/loguru
Jan 11th 2022
unprivileged user can see log file and sensitive information disclosed
loguru create log file to store the log . Log may contain many sentsitive information like username,password,token,key etc .
So, this log file should not accessed by other user .
But when loguru create log file then file permission is
-rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log which can be access by any user.
In linux system there may be many user with different privileged . but any user can see this log file .
STEP TO RERPODUCE
run bellow code
from loguru import logger data="Data to be logged , password123 is incorrect" #sensitive data logging logger.add("combined.log") #creating log file with insecure permission logger.info(data)
combined.log file will be created with all log information .
check file permission
user@user-xx:~$ ls -lh combined.log -rw-rw-r-- 1 user user 345 Jan 11 14:47 combined.log
So, this file has read permission for all system user . Thus any user can read this log file .I see mostly all webserver , logger etc log there info in a file and it is only accessed by current user who created the file . But in this case it has read permission for all user .
You should change the logfile permision to be access only by current user who crated the file or sudo user .
Loguru uses the same default permissions as any other Python logging library (especially the standard one).
However, one can easily configure Loguru to use the preferred file permissions:
def opener(file, flags): return os.open(file, flags, 0o600) logger.add("combined.log", opener=opener)
Loguru is perfectly secure to use. I'll add a word in the documentation about that.
Thanks for reply. Can you plz change the report status by validating it.
def opener(file, flags): return os.open(file, flags, 0o600) logger.add("combined.log", opener=opener
Don't know that there is handler for changing the permission. But default permission 600 would be better because most of users don't change the file permission manually. Thanks again
I'm not sure I should validate the security report, because that would acknowledge that Loguru contains CWE-269 weakness, right?
This is an issue qualified as "High Severity" yet we both agreed that Loguru does not contain such issue per se. I'm afraid it will confuse the user into thinking that Loguru is not secure.
Can the severity be somehow lowered?
@maintainer I just lowered the severity to 5.4 . Is this ok?
Sorry it's 4.3 severity now
Hi @maintainer any update?
Sorry for the delay and thanks for lowering the severity. ;)