| Version | Supported |
|---|---|
| 1.1.x | Yes |
| 1.0.x | No (critical vulnerabilities) |
If you discover a security vulnerability in ulog, please report it responsibly:
- Do not open a public GitHub issue
- Email: abu@matterize.io
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to understand and address the issue.
ulog is designed for logging serial data from USB devices in trusted environments. The security model assumes:
- The system administrator controls
/etc/ulog.conf - The USB device is trusted
- Local users may be untrusted
| Component | Trust Level |
|---|---|
/etc/ulog.conf |
Root-only write, ulog group read |
/usr/bin/ulog |
Runs as ulog user |
/usr/bin/ulog-genconfig |
Runs as root |
/var/log/ttyUSB0/ |
Owned by ulog user |
| Serial device | Trusted input |
All configuration values are strictly validated:
- DEVICE: Must match
^/dev/tty[A-Za-z]+[0-9]*$ - BAUD: Must be numeric and in whitelist (300-921600)
- LOG_DIR: Must be under
/var/log/, no path traversal
- Service runs as dedicated
uloguser (not root) uloguser is indialoutgroup for serial access- Config file owned by root, readable by ulog group
The generated service includes:
User=ulog
Group=ulog
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
CapabilityBoundingSet=
PrivateDevices=no
DeviceAllow=/dev/ttyUSB0 rw
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
MemoryDenyWriteExecute=yes
RestrictAddressFamilies=AF_UNIX
LockPersonality=yesConfiguration files are parsed safely without shell execution:
- No
sourceorevalof config files - Key-value parsing with strict validation
- Unknown keys are rejected
- Log files created with
0640permissions - Symlink attacks prevented by checking before creation
- Atomic file writes for config generation
- Path traversal blocked
- Serial data is not encrypted: Data is logged as-is from the device
- No authentication: Anyone with access to logs can read them
- Device trust: Malicious USB devices could send crafted data
- Fixed: Arbitrary code execution via config sourcing (VULN-001)
- Fixed: Command injection via DEVICE parameter (VULN-002)
- Fixed: Command injection via BAUD parameter (VULN-003)
- Fixed: Path traversal via LOG_DIR (VULN-004)
- Fixed: Udev rule injection (VULN-005)
- Fixed: Environment variable config override (VULN-006)
- Added: Comprehensive systemd hardening (VULN-007)
- Fixed: Symlink attacks on log files (VULN-009)
- Fixed: Non-atomic config writes (VULN-010)
- Added: Dedicated service user
- Initial release (contains critical vulnerabilities - do not use)
A full security audit was performed on v1.0.0, identifying 10 vulnerabilities. All critical and high severity issues have been addressed in v1.1.0.
The full vulnerability report is available in ulog-vuln.md.