[opensuse-factory] new rpmlint check for insecure logrotate configs
Hi, Logrotate 3.8 introduced stricter demands on the ownership of log directories. It refuses to rotate log files in directories that are writable by anyone other than root to avoid e.g. symlink tricks of a compromised account. The correct fix is to change the ownership of log _directories_ to root and also don't allow any group != 0 to write there. It's still ok for log _files_ to be owned and writable by some unprivileged user or group. Bad: drwxrwxr-x 2 foo bar /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log Good: drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log Alternatively if the package in question for whatever reason requires the log directory to be writable by unprivileged users logrotate now also supports a 'su' option. So I've introduced a new rpmlint check in Factory that checks for user owned log directories resp lack of the 'su' option. rpmlint now also complains if the log directory is not packaged as it obviously can't check the permissions then. So please fix your package if you see the 'logrotate-user-writable-log-dir' error in the build log as logrotate won't rotate logs for this package in the future. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 23 February 2012, Ludwig Nussel wrote:
Hi,
Logrotate 3.8 introduced stricter demands on the ownership of log directories. It refuses to rotate log files in directories that are writable by anyone other than root to avoid e.g. symlink tricks of a compromised account.
The correct fix is to change the ownership of log _directories_ to root and also don't allow any group != 0 to write there. It's still ok for log _files_ to be owned and writable by some unprivileged user or group.
Bad: drwxrwxr-x 2 foo bar /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Good: drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Alternatively if the package in question for whatever reason requires the log directory to be writable by unprivileged users logrotate now also supports a 'su' option.
So I've introduced a new rpmlint check in Factory that checks for user owned log directories resp lack of the 'su' option. rpmlint now also complains if the log directory is not packaged as it obviously can't check the permissions then.
So please fix your package if you see the 'logrotate-user-writable-log-dir' error in the build log as logrotate won't rotate logs for this package in the future.
Ludwig, while you are on this maybe you could also review what we could do about https://bugzilla.novell.com/show_bug.cgi?id=718168 cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ruediger Meier wrote:
Ludwig, while you are on this maybe you could also review what we could do about https://bugzilla.novell.com/show_bug.cgi?id=718168
As Vitezslav said, that needs to be fixed in the package that contains the logrotate config for that specific file. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 23 February 2012, Ludwig Nussel wrote:
Ruediger Meier wrote:
Ludwig, while you are on this maybe you could also review what we could do about https://bugzilla.novell.com/show_bug.cgi?id=718168
As Vitezslav said, that needs to be fixed in the package that contains the logrotate config for that specific file.
I don't care much about the particular example of the bug report but about the general problem that we always defining logfile permissions twice at different places. One time in logrotate configs and one time when a log file is created the first time. This is IMO a major problem and should be solved smilar like you did here by doing an announcement, adding rpmlint checks, whatever. As mentioned in above bug report and in http://permalink.gmane.org/gmane.linux.suse.opensuse.devel/34392 I would omit any mode attributes in any logrotate configs and only care about the right mode when creating a logfile the first time. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ruediger Meier wrote:
On Thursday 23 February 2012, Ludwig Nussel wrote:
Ruediger Meier wrote:
Ludwig, while you are on this maybe you could also review what we could do about https://bugzilla.novell.com/show_bug.cgi?id=718168
As Vitezslav said, that needs to be fixed in the package that contains the logrotate config for that specific file.
I don't care much about the particular example of the bug report but about the general problem that we always defining logfile permissions twice at different places. One time in logrotate configs and one time when a log file is created the first time.
This is IMO a major problem and should be solved smilar like you did here by doing an announcement, adding rpmlint checks, whatever.
That would be possible indeed. Now we need a volunteer to actually do it :-)
As mentioned in above bug report and in http://permalink.gmane.org/gmane.linux.suse.opensuse.devel/34392 I would omit any mode attributes in any logrotate configs and only care about the right mode when creating a logfile the first time.
The log files should probably be owned by a package then so rpm -V shows when the permissions are wrong. The /etc/permissions mechanism isn't really suitable for that as it only triggers on package installation. We'd have to put chkstat calls into each logrotate config then or someone needs to patch logrotate to do it automatically ... cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Ludwig Nussel -
Ruediger Meier