Security and privacy

security issue with the syslog for moodle

 
Picture of Mahmood Naderan
security issue with the syslog for moodle
 

Hi,

As I see the output of /var/log/syslog, I see


Sep 13 23:24:02 ce sm-mta[29338]: v8DIs2nc029337: to=armin, ctladdr=<root@oursite> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=38530, dsn=2.0.0, stat=Sent
Sep 13 23:25:01 ce CRON[29422]: (root) CMD (curl http://oursite/courses/admin/cron.php?password=****)


where **** is the plain text of the password! how that can be avoided?

 
Average of ratings: -
Picture of Ken Task
Re: security issue with the syslog for moodle
Group Particularly helpful Moodlers

Kinda created your own security concern ... first ... who can get to syslog?  I would hope only root/users on the moodle server.   But by forwarding root email to a user off the server ... now the mail is in another mail server and under another users control.

Solutions? ....

1. never forward root email to another user off the server.   Use ssh and alpine (a text based MTA) to check root mail.   Of course that will soon slide off the list of things to do and the root inbox could build up to fill up the hard drive if limits are not set in sendmail/postfix.

Use another tool ... like Webmin ... that has other handy modules for admin of a Linux server.  One tool ... read user mail ... ie, roots mail.

Set up another bash shell script to check size of root inbox and if over 40Megs, remove it.   But then you have no history of where Moodle cron/task might have gone south (the ole 'catch 22').

2. investigate the 'quiet' option to the curl command.

if #2 then #3. use  (pipe) | tee to log the output of curl to a moodlecron.log which would also be rotated by log rotate.   Now you just have to remember to check the logs from time to time.

So you have options and no code need be changed. ;)

'spirit of sharing', Ken

 
Average of ratings: -
Picture of Dan Marsden
Re: security issue with the syslog for moodle
Group Core developersGroup Moodle Course Creator Certificate holdersGroup Particularly helpful MoodlersGroup Plugin developersGroup Plugins guardiansGroup TestersGroup Translators

...or you could stop using http to trigger your cron via the web and call it on the command line of your server which doesn't use the password at all and is generally the better way to do it.

https://docs.moodle.org/en/Cron#Setting_up_cron_on_your_system

 
Average of ratings: Useful (2)
Picture of Mahmood Naderan
Re: security issue with the syslog for moodle
 

Thank you very much for the replies.

So you mean I have to put

/usr/bin/php /path/to/moodle/admin/cli/cron.php

in /etc/crontab?

 
Average of ratings: -