Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1014659: logrotate: error: state file /var/lib/logrotate/status is world-readable
516 views
Skip to first unread message
Holger Levsen
Jul 9, 2022, 7:50:03 PM7/9/22
to
Package: logrotate
Version: 3.18.0-2+deb11u1
Severity: normal
X-Debbugs-Cc: debian-...@lists.debian.org
affects: release.debian.org
Dear Maintainer,
after the bullseye 11.4 point release I started to see the following mails
from logcheck:
Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
I suspect the severity of this bug should be higher, but I will leave this to
you.
Thanks for maintaining logrotate!
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
So what CAN we actually do? Well, individual decisions (eating less meat,
taking public transport, buying less fast fashion) are all important, but we
also need to change the system. As you may know, just 100 companies are
responsible for 71% of global emissions. (@JessicaTheLaw)
https://www.theguardian.com/sustainable-business/2017/jul/10/100-fossil-fuel-companies-investors-responsible-71-global-emissions-cdp-study-climate-change
Version: 3.18.0-2+deb11u1
Severity: normal
X-Debbugs-Cc: debian-...@lists.debian.org
affects: release.debian.org
Dear Maintainer,
after the bullseye 11.4 point release I started to see the following mails
from logcheck:
Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
I suspect the severity of this bug should be higher, but I will leave this to
you.
Thanks for maintaining logrotate!
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
So what CAN we actually do? Well, individual decisions (eating less meat,
taking public transport, buying less fast fashion) are all important, but we
also need to change the system. As you may know, just 100 companies are
responsible for 71% of global emissions. (@JessicaTheLaw)
https://www.theguardian.com/sustainable-business/2017/jul/10/100-fossil-fuel-companies-investors-responsible-71-global-emissions-cdp-study-climate-change
Salvatore Bonaccorso
Jul 10, 2022, 3:50:03 AM7/10/22
to
Hi,
On Sun, Jul 10, 2022 at 01:35:50AM +0200, Holger Levsen wrote:
> Package: logrotate
> Version: 3.18.0-2+deb11u1
> Severity: normal
> X-Debbugs-Cc: debian-...@lists.debian.org
> affects: release.debian.org
>
> Dear Maintainer,
>
> after the bullseye 11.4 point release I started to see the following mails
> from logcheck:
>
> Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
>
> I suspect the severity of this bug should be higher, but I will leave this to
> you.
>
> Thanks for maintaining logrotate!
There is https://security-tracker.debian.org/tracker/CVE-2022-1348
fixed in the logrotate update landed in bullseye 11.4. In fact if the
state file is world-readable logrotate will error out as per
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
I wonder if the packaging should adjust the permissions as well on the
state file on update? (which technically not part of the fix, if the
state file is not present it is created correctly with 0640
permissions, but a present one should be adjusted?).
Regards,
Salvatore
On Sun, Jul 10, 2022 at 01:35:50AM +0200, Holger Levsen wrote:
> Package: logrotate
> Version: 3.18.0-2+deb11u1
> Severity: normal
> X-Debbugs-Cc: debian-...@lists.debian.org
> affects: release.debian.org
>
> Dear Maintainer,
>
> after the bullseye 11.4 point release I started to see the following mails
> from logcheck:
>
> Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
>
> I suspect the severity of this bug should be higher, but I will leave this to
> you.
>
> Thanks for maintaining logrotate!
fixed in the logrotate update landed in bullseye 11.4. In fact if the
state file is world-readable logrotate will error out as per
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
I wonder if the packaging should adjust the permissions as well on the
state file on update? (which technically not part of the fix, if the
state file is not present it is created correctly with 0640
permissions, but a present one should be adjusted?).
Regards,
Salvatore
Christian Göttsche
Jul 10, 2022, 5:50:03 AM7/10/22
to
On Sun, Jul 10, 2022 at 01:35:50AM +0200, Holger Levsen wrote:
> after the bullseye 11.4 point release I started to see the following mails
> from logcheck:
>
> Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
Does this only happen for the first logrotate invocation after the
> after the bullseye 11.4 point release I started to see the following mails
> from logcheck:
>
> Jul 10 00:00:24 mainframe logrotate[37314]: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
update or continuously?
If continuously what are the permissions of the state file (`ls -l
/var/lib/logrotate/status`)?
On Sun, 10 Jul 2022 at 09:45, Salvatore Bonaccorso <car...@debian.org> wrote:
>
> I wonder if the packaging should adjust the permissions as well on the
> state file on update? (which technically not part of the fix, if the
> state file is not present it is created correctly with 0640
> permissions, but a present one should be adjusted?).
if [ -f /var/lib/logrotate/status ]; then
mv /var/lib/logrotate/status /var/lib/logrotate/status.old
install -m 0640 /var/lib/logrotate/status.old /var/lib/logrotate/status
fi
?
Roman Mamedov
Jul 10, 2022, 7:30:03 AM7/10/22
to
Hello,
Here is the permission layout after the "error" message has been issued. I did
not check what it was before. I'm not sure if this means I will not get
another "error" tomorrow. On another host, I did "chmod o-rx" on the logrotate
directory, thinking maybe it wants that. Not sure yet if that helped either.
# ls -la /var/lib/logrotate/
total 12
drwxr-xr-x 2 root root 4096 Jul 10 06:32 .
drwxr-xr-x 29 root root 4096 Jun 22 13:44 ..
-rw-r----- 1 root root 782 Jul 10 06:32 status
--
With respect,
Roman
Here is the permission layout after the "error" message has been issued. I did
not check what it was before. I'm not sure if this means I will not get
another "error" tomorrow. On another host, I did "chmod o-rx" on the logrotate
directory, thinking maybe it wants that. Not sure yet if that helped either.
# ls -la /var/lib/logrotate/
total 12
drwxr-xr-x 2 root root 4096 Jul 10 06:32 .
drwxr-xr-x 29 root root 4096 Jun 22 13:44 ..
-rw-r----- 1 root root 782 Jul 10 06:32 status
--
With respect,
Roman
0 new messages