Grid Security Vulnerability Group - Advisory

-- Topic:          The gridftp log can be accessed via gridftp
-- Date:           drafted 2007-06-11, updated 2010-08-18
-- ID:	           Grid Vulnerability Savannah bug #26934

-- Background

The GridFTP protocol is used to transfer files in the grid environment.

-- Affected Software

gLite 3.1, gLite 3.2

-- Affected Components

Services employing the globus-gridftp-server:

    glite-CREAM
    glite-SE_dpm_disk
    glite-SE_dpm_mysql
    glite-VOBOX
    glite-WMS
    lcg-CE

The dCache node types are not affected, since the dCache GridFTP server
does not allow access outside of the dCache name space.


-- Vulnerability Details

The GridFTP log files may be downloaded through GridFTP.  They may contain
information that certain application communities wish to keep confidential,
e.g. certificate subjects or the names of the files transferred.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this 'low' risk.


-- Precautionary measures or checks

In the absence of a patch, a possible solution would be to:

- add a umask set to 006 in the /etc/init.d/globus-gridftp script, and/or

- in /etc/logrotate.d/globus-gridftp add a line "create 0640 root root"
  such that each next log file will be pre-created with the correct mode

-- Other information

updated 2010-08-18

This has recently been discussed again.  A solution is proposed above.

-- Credit

This vulnerability was initially reported by Emanouil Atanassov as
GGUS ticket 22850


-- Disclosure Timeline
Yyyy-mm-dd

2007-06-04 Vulnerability reported by Emanouil Atanassov
2007-06-11 Initial response from the Grid Security Vulnerability Group
2008-08-14 Included in list of unresolved issues to EGEE.
2010-08-18 Public disclosure

-- References
 If applicable
==========================================================================