[opensuse-packaging] new rpmlint check for insecure logrotate configs
Hi, Logrotate 3.8 introduced stricter demands on the ownership of log directories. It refuses to rotate log files in directories that are writable by anyone other than root to avoid e.g. symlink tricks of a compromised account. The correct fix is to change the ownership of log _directories_ to root and also don't allow any group != 0 to write there. It's still ok for log _files_ to be owned and writable by some unprivileged user or group. Bad: drwxrwxr-x 2 foo bar /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log Good: drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log Alternatively if the package in question for whatever reason requires the log directory to be writable by unprivileged users logrotate now also supports a 'su' option. So I've introduced a new rpmlint check in Factory that checks for user owned log directories resp lack of the 'su' option. rpmlint now also complains if the log directory is not packaged as it obviously can't check the permissions then. So please fix your package if you see the 'logrotate-user-writable-log-dir' error in the build log as logrotate won't rotate logs for this package in the future. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi,
Logrotate 3.8 introduced stricter demands on the ownership of log directories. It refuses to rotate log files in directories that are writable by anyone other than root to avoid e.g. symlink tricks of a compromised account.
The correct fix is to change the ownership of log _directories_ to root and also don't allow any group != 0 to write there. It's still ok for log _files_ to be owned and writable by some unprivileged user or group.
Bad: drwxrwxr-x 2 foo bar /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Good: drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Hi, Am 23.02.2012 16:16, schrieb Ludwig Nussel: this won't work e.g. for tinyproxy. tinyproxy creates his logfile as drwxr-x--- 2 tinyproxy root 80 23. Feb 00:15 ./ drwxr-xr-x 13 root root 1264 22. Feb 22:47 ../ -rw------- 1 tinyproxy tinyproxy 226 23. Feb 00:16 tinyproxy.log I wouldn't have created this "user-owned" subdir, if tinyproxy would have been able to write his log directly to /var/log. So how should this be fixed ?
Alternatively if the package in question for whatever reason requires the log directory to be writable by unprivileged users logrotate now also supports a 'su' option.
So I've introduced a new rpmlint check in Factory that checks for user owned log directories resp lack of the 'su' option. rpmlint now also complains if the log directory is not packaged as it obviously can't check the permissions then.
So please fix your package if you see the 'logrotate-user-writable-log-dir' error in the build log as logrotate won't rotate logs for this package in the future.
cu Ludwig
-- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Christian wrote:
[...] drwxr-xr-x 2 root root /var/log/foo/ -rw-rw-r-- 2 foo bar /var/log/foo/foo.log
Am 23.02.2012 16:16, schrieb Ludwig Nussel: this won't work e.g. for tinyproxy. tinyproxy creates his logfile as
drwxr-x--- 2 tinyproxy root 80 23. Feb 00:15 ./ drwxr-xr-x 13 root root 1264 22. Feb 22:47 ../ -rw------- 1 tinyproxy tinyproxy 226 23. Feb 00:16 tinyproxy.log
I wouldn't have created this "user-owned" subdir, if tinyproxy would have been able to write his log directly to /var/log. So how should this be fixed ?
The question is whether tinyproxy actually needs to create, unlink or rename the log file. Usually this is not the case. Have you tried creating an empty log file with correct permissions in %post or the init script? I'd expect the typical daemon to be happy with that as it can open the file and append to it then. When logrotate rotates the log it creates an empty log file with correct permissions too. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (2)
-
Christian -
Ludwig Nussel