Hi, Am 23.02.2012 16:16, schrieb Ludwig Nussel:
Hi,
Logrotate 3.8 introduced stricter demands on the ownership of log directories. It refuses to rotate log files in directories that are writable by anyone other than root to avoid e.g. symlink tricks of a compromised account.
The correct fix is to change the ownership of log _directories_ to root and also don't allow any group != 0 to write there. It's still ok for log _files_ to be owned and writable by some unprivileged user or group.
Bad: drwxrwxr-x 2 foo bar /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Good: drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log this won't work e.g. for tinyproxy. tinyproxy creates his logfile as
drwxr-x--- 2 tinyproxy root 80 23. Feb 00:15 ./ drwxr-xr-x 13 root root 1264 22. Feb 22:47 ../ -rw------- 1 tinyproxy tinyproxy 226 23. Feb 00:16 tinyproxy.log I wouldn't have created this "user-owned" subdir, if tinyproxy would have been able to write his log directly to /var/log. So how should this be fixed ?
Alternatively if the package in question for whatever reason requires the log directory to be writable by unprivileged users logrotate now also supports a 'su' option.
So I've introduced a new rpmlint check in Factory that checks for user owned log directories resp lack of the 'su' option. rpmlint now also complains if the log directory is not packaged as it obviously can't check the permissions then.
So please fix your package if you see the 'logrotate-user-writable-log-dir' error in the build log as logrotate won't rotate logs for this package in the future.
cu Ludwig
-- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org