Mailinglist Archive: opensuse-bugs (5047 mails)
|< Previous||Next >|
[Bug 751358] New: logrotate gets EBADF when doing copytruncate
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Thu, 8 Mar 2012 23:24:28 +0000
- Message-id: <email@example.com/>
Summary: logrotate gets EBADF when doing copytruncate
Product: openSUSE 11.4
OS/Version: openSUSE 11.4
Priority: P5 - None
Found By: Community User
From patch: 5744Referring to: bug 677335
The new /usr/sbin/logrotate gets EBADF (bad file descriptor) when copying a log
file for copytruncate. It opens the log on FD 3, but it tries to read FD
131075 (2^17+3). To see this, in the attached strace output search for EBADF.
Also attached is /etc/logrotate.conf and the included Apache conf file. This
happens on two files, believed to be the only two that met the rotation
criteria and were supposed to be copytruncated.
The error message 'error: "/var/log/cups" has insecure permissions. It must be
owned and...' is both prolix and uninformative. I would suggest something
along the lines of: 'error: executing as root:root but "/var/log/cups" is
writeable by lp:lp. In /etc/logrotate.d/cups.J add "su lp lp".' The man page's
description of the "su" declaration could also be better, for example:
su user group: The program sets its effective user and group IDs to the given
identities when renaming, copying, compressing or truncating files, or when
running scripts (prerotate, postrotate, etc.) Logrotate will only do file
operations if its effective user ID (and group?) matches the owner of the
directory, and if only the owner (and/or group?) can write to the directory.
"su" is not needed if logrotate runs as root (the normal case) and the
directory is owned, and only writeable, by root (and group?).
You also need to describe in the man page the new policy about symlinks, which
I have not reverse engineered by experiment.
It would make a lot of sense to have an "auto su" command: switch to the user
and group of the containing directory without having to list them explicitly in
the conf file. This would also future-proof the configuration when the service
is fixed to deal with a root-owned log directory.
A non-backward-compatible package upgrade like this would normally be
restricted to a distro version upgrade. This sysadmin is not happy at needing
to make an instant response for a potential security issue which is not
normally a threat and which is not being exploited in the wild. And if you do
withdraw the patch, the old version is not forward compatible: people who have
figured out how to use "su" will have to take it out again. Due to the EBADF
issue I'm reverting this patch, the first time in six years that I've rejected
a SuSE patch.
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
|< Previous||Next >|