Opens auditlog files and directories with the correct mode

Respecting the directives: SecAuditLogStorageDir and SecAuditLogFileMode
2025-08-13 13:26:01 +03:00 · 2015-07-10 18:38:12 -03:00 · 2015-07-10 18:38:12 -03:00 · 5e33a1a3c4
commit 5e33a1a3c4
parent c9620ac50f
7 changed files with 36 additions and 20 deletions
--- a/src/audit_log.cc
+++ b/src/audit_log.cc
@ -35,13 +35,13 @@ namespace ModSecurity {


 bool AuditLog::setStorageDirMode(int permission) {
-    this->m_storage_permission = permission;
+    this->directoryPermission = permission;
    return true;
 }


 bool AuditLog::setFileMode(int permission) {
-    this->m_file_permissions = permission;
+    this->filePermission = permission;
    return true;
 }

--- a/src/audit_log.h
+++ b/src/audit_log.h
@ -41,7 +41,9 @@ class AuditLog {
            | HAuditLogPart | ZAuditLogPart),
        m_type(ParallelAuditLogType),
        m_writer(NULL),
-        m_relevant("")
+        m_relevant(""),
+        filePermission(0600),
+        directoryPermission(0600)
        { }

    enum AuditLogType {
@ -166,11 +168,12 @@ class AuditLog {
    std::string m_path2;
    std::string m_storage_dir;

+    int filePermission;
+    int directoryPermission;
+
 private:
    AuditLogStatus m_status;

-    int m_file_permissions;
-    int m_storage_permission;

    int m_parts;
    AuditLogType m_type;
--- a/src/audit_log_writer.h
+++ b/src/audit_log_writer.h
@ -18,9 +18,6 @@

 #ifdef __cplusplus
 #include <string>
-#include <iostream>
-#include <sstream>
-#include <fstream>
 #endif

 #include "modsecurity/assay.h"
@ -32,7 +29,7 @@ namespace ModSecurity {
 class AuditLog;

 /** @ingroup ModSecurity_CPP_API */
-class AuditLogWriter : public std::ofstream {
+class AuditLogWriter {
 public:
    explicit AuditLogWriter(AuditLog *audit)
        : m_audit(audit) { }
--- a/src/audit_log_writer_parallel.cc
+++ b/src/audit_log_writer_parallel.cc
@ -18,6 +18,9 @@
 #include <time.h>
 #include <stdio.h>
 #include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>

 #include <fstream>

@ -72,24 +75,35 @@ bool AuditLogWriterParallel::close() {


 bool AuditLogWriterParallel::write(Assay *assay) {
+    FILE *fp;
+    int fd;
    std::string log = assay->to_json(0);
    std::string fileName = logFilePath(&assay->timeStamp,
        YearMonthDayDirectory | YearMonthDayAndTimeDirectory
        | YearMonthDayAndTimeFileName);
-    fileName = fileName + "-" + assay->id;

    std::string logPath = m_audit->m_storage_dir;
+    fileName = logPath + fileName + "-" + assay->id;
+
+    if (logPath.empty()) {
+      return false;
+    }

    createDir((logPath +
-        logFilePath(&assay->timeStamp, YearMonthDayDirectory)).c_str());
+        logFilePath(&assay->timeStamp, YearMonthDayDirectory)).c_str(),
+        m_audit->directoryPermission);
    createDir((logPath +
        logFilePath(&assay->timeStamp, YearMonthDayDirectory
-            | YearMonthDayAndTimeDirectory)).c_str());
+            | YearMonthDayAndTimeDirectory)).c_str(),
+        m_audit->directoryPermission);

-    std::ofstream f;
-    f.open(logPath + fileName, std::fstream::out | std::fstream::app);
-    f << log;
-    f.close();
+    fd = open(fileName.c_str(), O_CREAT | O_WRONLY, m_audit->filePermission);
+    if (fd < 0) {
+        return false;
+    }
+    fp = fdopen(fd, "w");
+    fwrite(log.c_str(), log.length(), 1, fp);
+    fclose(fp);

    return true;
 }
--- a/src/utils.cc
+++ b/src/utils.cc
@ -69,11 +69,11 @@ std::string ascTime(time_t *t) {
 }


-void createDir(std::string dir) {
+void createDir(std::string dir, int mode) {
 #if defined _MSC_VER
    _mkdir(dir.data());
 #elif defined __GNUC__
-    mkdir(dir.data(), 0777);
+    mkdir(dir.data(), mode);
 #endif
 }

--- a/src/utils.h
+++ b/src/utils.h
@ -27,7 +27,7 @@ namespace ModSecurity {
    double random_number(const double from, const double to);
    double generate_assay_unique_id();
    std::string ascTime(time_t *t);
-    void createDir(std::string dir);
+    void createDir(std::string dir, int mode);
 }  // namespace ModSecurity

 #define SRC_UTILS_H_
--- a/test/test-cases/regression/auditlog.json
+++ b/test/test-cases/regression/auditlog.json
@ -51,7 +51,9 @@
      "SecRule ARGS \"@contains test\" \"t:trim,block,auditlog\"",
      "SecAuditEngine RelevantOnly",
      "SecAuditLogParts ABCFHZ",
-      "SecAuditLogStorageDir /tmp",
+      "SecAuditLogStorageDir /tmp/test",
+      "SecAuditLogDirMode 0766",
+      "SecAuditLogFileMode 0600",
      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
    ]
  }