Google Git
Sign in
fuchsia / third_party / golang / glog / refs/tags/v1.2.4
commita0e3c40a0ed0cecc58c84e7684d9ce55a54044ee[log] [tgz]
authorChressie Himpel <chressie@golang.org>Wed Jan 08 12:44:22 2025 +0100
committerMichael Stapelberg <stapelberg@users.noreply.github.com>Mon Jan 13 10:57:13 2025 +0100
treec9542ff1ed288a9efef870731107908e957f1be3
parent7139da234346c23dba05a8c588284c379b9c0bf8 [diff]
glog: have createInDir fail if the file already exists

This prevents an attack like the one described
[here](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File#:~:text=On%20Unix%20based,with%20elevated%20permissions.).
An unprivileged attacker could use symlinks to trick a privileged
logging process to follow a symlink from the log dir and write logs over
an arbitrary file.

The components of the log names are program, host, username, tag, date,
time and PID. These are all predictable. It's not at all unusual for the
logdir to be writable by unprivileged users, and one of the fallback
directories (/tmp) traditionally has broad write privs with the sticky
bit set on Unix systems.

As a concrete example, let's say I've got a glog-enabled binary running
as a root cronjob. I can gauge when that cron job will run and then use
a bash script to spray the log dir with glog-looking symlinks to
`/etc/shadow` with predicted times and PIDs. When the cronjob runs, the
`os.Create` call will follow the symlink, truncate `/etc/shadow` and
then fill it with logs.

This change defeats that by setting `O_EXCL`, which will cause the open
call to fail if the file already exists.

Fixes CVE-2024-45339

cl/712795111 (google-internal)
2 files changed
tree: c9542ff1ed288a9efef870731107908e957f1be3
  1. internal/
  2. glog.go
  3. glog_bench_test.go
  4. glog_context_test.go
  5. glog_file.go
  6. glog_file_linux.go
  7. glog_file_nonwindows.go
  8. glog_file_other.go
  9. glog_file_posix.go
  10. glog_file_windows.go
  11. glog_flags.go
  12. glog_test.go
  13. glog_vmodule_test.go
  14. go.mod
  15. go.sum
  16. LICENSE
  17. README.md
README.md

glog

PkgGoDev

Leveled execution logs for Go.

This is an efficient pure Go implementation of leveled logs in the manner of the open source C++ package glog.

By binding methods to booleans it is possible to use the log package without paying the expense of evaluating the arguments to the log. Through the -vmodule flag, the package also provides fine-grained control over logging at the file level.

The comment from glog.go introduces the ideas:

Package glog implements logging analogous to the Google-internal C++ INFO/ERROR/V setup. It provides the functions Info, Warning, Error, Fatal, plus formatting variants such as Infof. It also provides V-style loggingcontrolled by the -v and -vmodule=file=2 flags.

Basic examples:

glog.Info("Prepare to repel boarders")
	
glog.Fatalf("Initialization failed: %s", err)

See the documentation for the V function for an explanation of these examples:

if glog.V(2) {
	glog.Info("Starting transaction...")
}
glog.V(2).Infoln("Processed", nItems, "elements")

The repository contains an open source version of the log package used inside Google. The master copy of the source lives inside Google, not here. The code in this repo is for export only and is not itself under development. Feature requests will be ignored.

Send bug reports to golang-nuts@googlegroups.com.