https://bugzilla.novell.com/show_bug.cgi?id=751358 https://bugzilla.novell.com/show_bug.cgi?id=751358#c0 Summary: logrotate gets EBADF when doing copytruncate Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jimc@math.ucla.edu QAContact: qa@suse.de Found By: Community User Blocker: --- Package: logrotate-3.7.9-6.9.1.x86_64

From patch: 5744 Referring to: bug 677335

The new /usr/sbin/logrotate gets EBADF (bad file descriptor) when copying a log file for copytruncate. It opens the log on FD 3, but it tries to read FD 131075 (2^17+3). To see this, in the attached strace output search for EBADF. Also attached is /etc/logrotate.conf and the included Apache conf file. This happens on two files, believed to be the only two that met the rotation criteria and were supposed to be copytruncated. The error message 'error: "/var/log/cups" has insecure permissions. It must be owned and...' is both prolix and uninformative. I would suggest something along the lines of: 'error: executing as root:root but "/var/log/cups" is writeable by lp:lp. In /etc/logrotate.d/cups.J add "su lp lp".' The man page's description of the "su" declaration could also be better, for example: su user group: The program sets its effective user and group IDs to the given identities when renaming, copying, compressing or truncating files, or when running scripts (prerotate, postrotate, etc.) Logrotate will only do file operations if its effective user ID (and group?) matches the owner of the directory, and if only the owner (and/or group?) can write to the directory. "su" is not needed if logrotate runs as root (the normal case) and the directory is owned, and only writeable, by root (and group?). You also need to describe in the man page the new policy about symlinks, which I have not reverse engineered by experiment. It would make a lot of sense to have an "auto su" command: switch to the user and group of the containing directory without having to list them explicitly in the conf file. This would also future-proof the configuration when the service is fixed to deal with a root-owned log directory. A non-backward-compatible package upgrade like this would normally be restricted to a distro version upgrade. This sysadmin is not happy at needing to make an instant response for a potential security issue which is not normally a threat and which is not being exploited in the wild. And if you do withdraw the patch, the old version is not forward compatible: people who have figured out how to use "su" will have to take it out again. Due to the EBADF issue I'm reverting this patch, the first time in six years that I've rejected a SuSE patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.