Linux network log file permissions fix: 0644 to 0600

Since release 11.3.5, on linux guests, the vmware-network.log file has root
default	file creation permissions (0644) rather than the expected 0600
permissions.

Fix:
- Adding chmod 0600 on log file creation.
- Adding file creation before first logging.
- Adding handling of unset handler in case switch, default to file logging.
- Adding logging of unknown or bad handler, and using file logging as default.
- Default number of logfiles when network.maxOldLogFiles is set to 0.

diff --git a/open-vm-tools/scripts/linux/network b/open-vm-tools/scripts/linux/network
index 033c88248a823cc90ef8a47d1263a201db2aa738..b8cb92ce30c1b5129b24ee2e52c3e331ce7805fb 100644 (file)
--- a/open-vm-tools/scripts/linux/network
+++ b/open-vm-tools/scripts/linux/network
@@ -1,6 +1,7 @@
 #!/bin/sh -x
 ##########################################################
-# Copyright (c) 2001-2018, 2021, 2023 VMware, Inc. All rights reserved.
+# Copyright (c) 2001-2018, 2021, 2023-2024 Broadcom. All rights reserved.
+# The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU Lesser General Public License as published
@@ -37,6 +38,9 @@ logmode=1
 # Defines whether to rotate logs (1) or not (0)
 logrotate=1
 
+# Defines whether to set log file permissions (1) or not (0)
+logsetperms=1
+
 #
 # Get log file path
 #
@@ -56,23 +60,33 @@ get_logfile() {
 get_logconfig() {
    handler=`vmware-toolbox-cmd config get logging network.handler | \
            sed -e 's/.*= *//' -e 's/ *$//'`
+   if [ -z "${handler##*"UNSET"*}" ]; then
+      # Default unset to file handler
+      handler=file
+   fi
    case $handler in
       "file")
          get_logfile
          ;;
       "file+")
+         # Append to a file instead of recreating each time
          get_logfile
          logrotate=0
          ;;
       "vmx"|"std")
          logrotate=0
+         logsetperms=0
          ;;
       "syslog")
          logfile=/var/log/syslog
          logdir=`dirname $logfile`
          logrotate=0
+         logsetperms=0
          ;;
       *)
+         # Default unknown to 'file' handler, log the issue.
+         `vmtoolsd --cmd "log WARNING: [$SOURCE] Logging unknown network.handler: $handler"`
+         get_logfile
          ;;
    esac
 }
@@ -84,7 +98,12 @@ rotate_logfile() {
    if [ $logrotate -eq 1 ]; then
       max=`vmware-toolbox-cmd config get logging network.maxOldLogFiles | \
           sed -e 's/.*= *//' -e 's/ *$//'`
-      if [ -z "${max##*"UNSET"*}" -o `expr "$max" : '[0-9]\+$'` -eq 0 ]; then
+      if [ `expr "$max" : '[0-9]\+$'` -eq 0 ]; then
+         # max is not numeric (UNSET or else), use default.
+         max=9
+      fi
+      if [ $max -lt 1 ]; then
+         # max must be > 0, use default.
          max=9
       fi
       max=`expr $max - 1`
@@ -123,6 +142,19 @@ log() {
 get_logconfig
 rotate_logfile
 
+if [ $logsetperms -eq 1 ]; then
+   # Create/Recreate logfile
+   if [ ! -e $logfile ]; then
+      touch $logfile
+   fi
+
+   # Set logfile permissions before writing first log to file.
+   # ** When handler is 'file+' and logfile existed prior to execution, this
+   #    updates the permissions before appending to logfile.
+   # ** Otherwise sets permission on new file.
+   chmod 0600 $logfile
+fi
+
 log "Executing '$0 $*'"
 
 . `dirname "$0"`/../../statechange.subr