Mailinglist Archive: opensuse-packaging (232 mails)
| < Previous | Next > |
[opensuse-packaging] new rpmlint check for insecure logrotate configs
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Thu, 23 Feb 2012 16:16:52 +0100
- Message-id: <4F465864.4060306@suse.de>
Hi,
Logrotate 3.8 introduced stricter demands on the ownership of log
directories. It refuses to rotate log files in directories that are
writable by anyone other than root to avoid e.g. symlink tricks of a
compromised account.
The correct fix is to change the ownership of log _directories_ to root
and also don't allow any group != 0 to write there. It's still ok for
log _files_ to be owned and writable by some unprivileged user
or group.
Bad:
drwxrwxr-x 2 foo bar /var/log/foo/
-rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Good:
drwxr-xr-x 2 root root /var/log/foo/
-rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Alternatively if the package in question for whatever reason requires
the log directory to be writable by unprivileged users logrotate now
also supports a 'su' option.
So I've introduced a new rpmlint check in Factory that checks for
user owned log directories resp lack of the 'su' option. rpmlint now
also complains if the log directory is not packaged as it obviously
can't check the permissions then.
So please fix your package if you see the
'logrotate-user-writable-log-dir' error in the build log as logrotate
won't rotate logs for this package in the future.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx
Logrotate 3.8 introduced stricter demands on the ownership of log
directories. It refuses to rotate log files in directories that are
writable by anyone other than root to avoid e.g. symlink tricks of a
compromised account.
The correct fix is to change the ownership of log _directories_ to root
and also don't allow any group != 0 to write there. It's still ok for
log _files_ to be owned and writable by some unprivileged user
or group.
Bad:
drwxrwxr-x 2 foo bar /var/log/foo/
-rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Good:
drwxr-xr-x 2 root root /var/log/foo/
-rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Alternatively if the package in question for whatever reason requires
the log directory to be writable by unprivileged users logrotate now
also supports a 'su' option.
So I've introduced a new rpmlint check in Factory that checks for
user owned log directories resp lack of the 'su' option. rpmlint now
also complains if the log directory is not packaged as it obviously
can't check the permissions then.
So please fix your package if you see the
'logrotate-user-writable-log-dir' error in the build log as logrotate
won't rotate logs for this package in the future.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx
| < Previous | Next > |