Changed default file modes from 0o644 to 0o600 for better security

log4js-node · Jan 16, 2022 · 8042252 · 8042252
1 parent 750c661
commit 8042252
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 5 deletions.
diff --git a/docs/dateFile.md b/docs/dateFile.md
@@ -11,7 +11,7 @@ This is a file appender that rolls log files based on a configurable time, rathe
 
 Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
 * `encoding` - `string` (default "utf-8")
-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
 * `flags` - `string` (default 'a')
 * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
 * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in the name of the current log file as well as the backups.

diff --git a/docs/file.md b/docs/file.md
@@ -12,7 +12,7 @@ The file appender writes log events to a file. It supports an optional maximum f
 
 Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
 * `encoding` - `string` (default "utf-8")
-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
 * `flags` - `string` (default 'a')
 * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
 * `keepFileExt` - `boolean` (default false) - preserve the file extension when rotating log files (`file.log` becomes `file.1.log` instead of `file.log.1`)

diff --git a/docs/fileSync.md b/docs/fileSync.md
@@ -12,7 +12,7 @@ The sync file appender writes log events to a file, the only difference to the n
 
 Any other configuration parameters will be passed to the underlying node.js core stream implementation:
 * `encoding` - `string` (default "utf-8")
-* `mode`- `integer` (default 0644)
+* `mode`- `integer` (default 0600)
 * `flags` - `string` (default 'a')
 
 ## Example

diff --git a/lib/appenders/dateFile.js b/lib/appenders/dateFile.js
@@ -49,7 +49,6 @@ function appender(
 
 function configure(config, layouts) {
   let layout = layouts.basicLayout;
-
   if (config.layout) {
     layout = layouts.layout(config.layout.type, config.layout);
   }
@@ -58,6 +57,9 @@ function configure(config, layouts) {
     config.alwaysIncludePattern = false;
   }
 
+  // security default (instead of relying on streamroller default)
+  config.mode = config.mode || 0o600;
+
   return appender(
     config.filename,
     config.pattern,

diff --git a/lib/appenders/file.js b/lib/appenders/file.js
@@ -110,6 +110,9 @@ function configure(config, layouts) {
     layout = layouts.layout(config.layout.type, config.layout);
   }
 
+  // security default (instead of relying on streamroller default)
+  config.mode = config.mode || 0o600;
+
   return fileAppender(
     config.filename,
     layout,

diff --git a/lib/appenders/fileSync.js b/lib/appenders/fileSync.js
@@ -192,7 +192,7 @@ function configure(config, layouts) {
   const options = {
     flags: config.flags || 'a',
     encoding: config.encoding || 'utf8',
-    mode: config.mode || 0o644
+    mode: config.mode || 0o600
   };
 
   return fileAppender(