From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QxkMh-0001rW-5k for garchives@archives.gentoo.org; Sun, 28 Aug 2011 18:45:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6850F21C1FA; Sun, 28 Aug 2011 18:45:39 +0000 (UTC) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by pigeon.gentoo.org (Postfix) with ESMTP id 8BE0821C1F1 for ; Sun, 28 Aug 2011 18:44:41 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.messagingengine.com (Postfix) with ESMTP id 42D952100C for ; Sun, 28 Aug 2011 14:44:41 -0400 (EDT) Received: from frontend2.messagingengine.com ([10.202.2.161]) by compute6.internal (MEProxy); Sun, 28 Aug 2011 14:44:41 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=k1fp oPbk6U6dKNrHR0NZH/BZYiE=; b=odppORlkkct7kCLbi8Or+eZs+RzxCQswy44N 1MeOKXXpOtrwOyhtWs/qdyv5TXW3OyQ3GkJugCsquRH48szt9oPa8c/X5xB7Cy6S B3n5d1NrBJNpG5tz8AN9rV03UXbEdmydde0okMk+h6J1GDUWUz/yPA6JkkL4JjaA BM6yLPU= X-Sasl-enc: JKcfCtzwiv3NcADjArC2shdbLOVvsrkmH3jkgoT7BNns 1314557079 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 8AB98A20055 for ; Sun, 28 Aug 2011 14:44:37 -0400 (EDT) Message-ID: <4E5A8C84.5080605@binarywings.net> Date: Sun, 28 Aug 2011 20:44:20 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110730 Lightning/1.0b3pre Thunderbird/3.1.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"? References: <4E3C0AD2.6080409@gmail.com> <201108070122.11290.michaelkintzios@gmail.com> <4E3EAD32.1060106@binarywings.net> <201108281214.16339.michaelkintzios@gmail.com> In-Reply-To: <201108281214.16339.michaelkintzios@gmail.com> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF5741986E70A33B5C09E52B7" X-Archives-Salt: X-Archives-Hash: a363ae613b800a170380dea2b83ec552 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF5741986E70A33B5C09E52B7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 28.08.2011 13:14, schrieb Mick: > On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: >> Am 07.08.2011 02:22, schrieb Mick: >>> On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: >>>> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: >>>>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Chang= e >>>>> your config to look like this: >>>>> /var/log/portage/elog/summary.log { >>>>> su portage portage >>>>> ... >>>>> } >>>>> >>>>> Disclaimer: I've not really tried this (yet) but I think I'm able t= o >>>>> read changelogs and man-pages. ;-) >>>> >>>> Yes that fixes it. The latest portage ebuilds include an updated con= fig >>>> file. >>> >>> Hmm ... it still complains here! >>> >>> error: error setting owner of >>> /var/log/portage/elog/summary.log-20110801.gz: Operation not permitte= d >>> >>> >>> This is my /etc/logrotate.d/elog-save-summary: >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> /var/log/portage/elog/summary.log { >>> >>> su portage portage >>> =20 >>> missingok >>> nocreate >>> delaycompress >>> >>> } >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> >>> # ls -la /var/log/portage/elog/summary.log >>> -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 >>> /var/log/portage/elog/summary.log >>> >>> Can you see anything amiss? >> >> At least on my system, /var/log/portage has the following permissions:= >> drwxr-xr-x root root >> >> Only root can write, therefore the config must read >> >> /var/log/portage/elog/summary.log { >> su root portage >> missingok >> nocreate >> delaycompress >> } >=20 > The latest logrotate update wanted to change the above line from su roo= t=20 > portage to su portage portage ... >=20 > Should I be changing the ownership of /var/log/portage and /var/log/por= tage=20 > elog? Unless portage now drops privileges from root:portage to portage:portage for writing logs, no one except root should be allowed to write in /var/log/portage. So, from my point of view, the answer is no. It seems so: https://bugs.gentoo.org/show_bug.cgi?id=3D374287 https://bugs.gentoo.org/show_bug.cgi?id=3D378451 This version of portage has just been stabilized this week. Regards, Florian Philipp --------------enigF5741986E70A33B5C09E52B7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5ajIoACgkQqs4uOUlOuU839wCdH1oVykipADj4KTuJ9k1bmM/L vWgAn2b3QzmhGKKjd+pvPc+/yuHzh84j =/zX4 -----END PGP SIGNATURE----- --------------enigF5741986E70A33B5C09E52B7--