[gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Jarry]

Hi,
today I received this mail from cron:
---
error: skipping "/var/log/portage/elog/summary.log" because
parent directory has insecure permissions (It's world writable
or writable by group which is not "root") Set "su" directive
in config file to tell logrotate which user/group should be
used for rotation.
---

My /var/log/portage/elog has this permissions:
drwxrws--- 2 portage portage 4096 Jun  1  2010 elog

What is wrong with it? I'm pretty sure I did not touch it
for years so I'm surprised logrotate is suddenly complaining
(it has been updated recently, that might be reason).

Anyway, how should those permissions look like to make
logrotate (and cron) happy?

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]

Am 05.08.2011 17:22, schrieb Jarry:
> Hi,
> today I received this mail from cron:
> ---
> error: skipping "/var/log/portage/elog/summary.log" because
> parent directory has insecure permissions (It's world writable
> or writable by group which is not "root") Set "su" directive
> in config file to tell logrotate which user/group should be
> used for rotation.
> ---
> 
> My /var/log/portage/elog has this permissions:
> drwxrws--- 2 portage portage 4096 Jun  1  2010 elog
> 
> What is wrong with it? I'm pretty sure I did not touch it
> for years so I'm surprised logrotate is suddenly complaining
> (it has been updated recently, that might be reason).
> 
> Anyway, how should those permissions look like to make
> logrotate (and cron) happy?
> 
> Jarry
> 

Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}

Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)

[1] https://bugzilla.redhat.com/show_bug.cgi?id=680799

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:

> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
> your config to look like this:
> /var/log/portage/elog/summary.log {
> su portage portage
> ...
> }
> 
> Disclaimer: I've not really tried this (yet) but I think I'm able to
> read changelogs and man-pages. ;-)

Yes that fixes it. The latest portage ebuilds include an updated config
file.


-- 
Neil Bothwick

There's no such thing as a free lunch
                              ___Steve Ballmer, choking on a linuxburger

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1068 bytes --]

On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
> > Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
> > your config to look like this:
> > /var/log/portage/elog/summary.log {
> > su portage portage
> > ...
> > }
> > 
> > Disclaimer: I've not really tried this (yet) but I think I'm able to
> > read changelogs and man-pages. ;-)
> 
> Yes that fixes it. The latest portage ebuilds include an updated config
> file.

Hmm ... it still complains here!

error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: 
Operation not permitted


This is my /etc/logrotate.d/elog-save-summary:
===================================
/var/log/portage/elog/summary.log {
 su portage portage
    missingok
    nocreate
    delaycompress
}
===================================

# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug  6 09:44 /var/log/portage/elog/summary.log

Can you see anything amiss?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1418 bytes --]

Am 07.08.2011 02:22, schrieb Mick:
> On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
>> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
>>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
>>> your config to look like this:
>>> /var/log/portage/elog/summary.log {
>>> su portage portage
>>> ...
>>> }
>>>
>>> Disclaimer: I've not really tried this (yet) but I think I'm able to
>>> read changelogs and man-pages. ;-)
>>
>> Yes that fixes it. The latest portage ebuilds include an updated config
>> file.
> 
> Hmm ... it still complains here!
> 
> error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: 
> Operation not permitted
> 
> 
> This is my /etc/logrotate.d/elog-save-summary:
> ===================================
> /var/log/portage/elog/summary.log {
>  su portage portage
>     missingok
>     nocreate
>     delaycompress
> }
> ===================================
> 
> # ls -la /var/log/portage/elog/summary.log
> -rw-rw-r-- 1 root portage 4326 Aug  6 09:44 /var/log/portage/elog/summary.log
> 
> Can you see anything amiss?

At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root

Only root can write, therefore the config must read

/var/log/portage/elog/summary.log {
 su root portage
 missingok
 nocreate
 delaycompress
}

Hope this helps,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2060 bytes --]

On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
> Am 07.08.2011 02:22, schrieb Mick:
> > On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
> >> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
> >>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
> >>> your config to look like this:
> >>> /var/log/portage/elog/summary.log {
> >>> su portage portage
> >>> ...
> >>> }
> >>> 
> >>> Disclaimer: I've not really tried this (yet) but I think I'm able to
> >>> read changelogs and man-pages. ;-)
> >> 
> >> Yes that fixes it. The latest portage ebuilds include an updated config
> >> file.
> > 
> > Hmm ... it still complains here!
> > 
> > error: error setting owner of
> > /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
> > 
> > 
> > This is my /etc/logrotate.d/elog-save-summary:
> > ===================================
> > /var/log/portage/elog/summary.log {
> > 
> >  su portage portage
> >  
> >     missingok
> >     nocreate
> >     delaycompress
> > 
> > }
> > ===================================
> > 
> > # ls -la /var/log/portage/elog/summary.log
> > -rw-rw-r-- 1 root portage 4326 Aug  6 09:44
> > /var/log/portage/elog/summary.log
> > 
> > Can you see anything amiss?
> 
> At least on my system, /var/log/portage has the following permissions:
> drwxr-xr-x root root
> 
> Only root can write, therefore the config must read
> 
> /var/log/portage/elog/summary.log {
>  su root portage
>  missingok
>  nocreate
>  delaycompress
> }
> 
> Hope this helps,
> Florian Philipp

Thanks for this Florian,

It is interesting that two of my machines actually are set up like this:

drwxrws---  2 portage portage     240 Aug  9 21:07 elog

and /var/log/portage is also set up like this:

drwxrws---  4 portage portage     7152 Aug  7 18:04 portage

However, I can't remember if I set it up like that myself (these are old 
machines).  The latest and newest installation on a third box looks just like 
yours.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1775 bytes --]

On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
> Am 07.08.2011 02:22, schrieb Mick:
> > On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
> >> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
> >>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
> >>> your config to look like this:
> >>> /var/log/portage/elog/summary.log {
> >>> su portage portage
> >>> ...
> >>> }
> >>> 
> >>> Disclaimer: I've not really tried this (yet) but I think I'm able to
> >>> read changelogs and man-pages. ;-)
> >> 
> >> Yes that fixes it. The latest portage ebuilds include an updated config
> >> file.
> > 
> > Hmm ... it still complains here!
> > 
> > error: error setting owner of
> > /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
> > 
> > 
> > This is my /etc/logrotate.d/elog-save-summary:
> > ===================================
> > /var/log/portage/elog/summary.log {
> > 
> >  su portage portage
> >  
> >     missingok
> >     nocreate
> >     delaycompress
> > 
> > }
> > ===================================
> > 
> > # ls -la /var/log/portage/elog/summary.log
> > -rw-rw-r-- 1 root portage 4326 Aug  6 09:44
> > /var/log/portage/elog/summary.log
> > 
> > Can you see anything amiss?
> 
> At least on my system, /var/log/portage has the following permissions:
> drwxr-xr-x root root
> 
> Only root can write, therefore the config must read
> 
> /var/log/portage/elog/summary.log {
>  su root portage
>  missingok
>  nocreate
>  delaycompress
> }

The latest logrotate update wanted to change the above line from su root 
portage to su portage portage ...

Should I be changing the ownership of /var/log/portage and /var/log/portage 
elog?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2218 bytes --]

Am 28.08.2011 13:14, schrieb Mick:
> On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
>> Am 07.08.2011 02:22, schrieb Mick:
>>> On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
>>>> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
>>>>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
>>>>> your config to look like this:
>>>>> /var/log/portage/elog/summary.log {
>>>>> su portage portage
>>>>> ...
>>>>> }
>>>>>
>>>>> Disclaimer: I've not really tried this (yet) but I think I'm able to
>>>>> read changelogs and man-pages. ;-)
>>>>
>>>> Yes that fixes it. The latest portage ebuilds include an updated config
>>>> file.
>>>
>>> Hmm ... it still complains here!
>>>
>>> error: error setting owner of
>>> /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
>>>
>>>
>>> This is my /etc/logrotate.d/elog-save-summary:
>>> ===================================
>>> /var/log/portage/elog/summary.log {
>>>
>>>  su portage portage
>>>  
>>>     missingok
>>>     nocreate
>>>     delaycompress
>>>
>>> }
>>> ===================================
>>>
>>> # ls -la /var/log/portage/elog/summary.log
>>> -rw-rw-r-- 1 root portage 4326 Aug  6 09:44
>>> /var/log/portage/elog/summary.log
>>>
>>> Can you see anything amiss?
>>
>> At least on my system, /var/log/portage has the following permissions:
>> drwxr-xr-x root root
>>
>> Only root can write, therefore the config must read
>>
>> /var/log/portage/elog/summary.log {
>>  su root portage
>>  missingok
>>  nocreate
>>  delaycompress
>> }
> 
> The latest logrotate update wanted to change the above line from su root 
> portage to su portage portage ...
> 
> Should I be changing the ownership of /var/log/portage and /var/log/portage 
> elog?

Unless portage now drops privileges from root:portage to portage:portage
for writing logs, no one except root should be allowed to write in
/var/log/portage. So, from my point of view, the answer is no.

It seems so:
https://bugs.gentoo.org/show_bug.cgi?id=374287
https://bugs.gentoo.org/show_bug.cgi?id=378451

This version of portage has just been stabilized this week.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]

Am 28.08.2011 20:44, schrieb Florian Philipp:
> Am 28.08.2011 13:14, schrieb Mick:
>> On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
>>> Am 07.08.2011 02:22, schrieb Mick:
>>>> On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
>>>>> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
>>>>>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
>>>>>> your config to look like this:
>>>>>> /var/log/portage/elog/summary.log {
>>>>>> su portage portage
>>>>>> ...
>>>>>> }
>>>>>>
>>>>>> Disclaimer: I've not really tried this (yet) but I think I'm able to
>>>>>> read changelogs and man-pages. ;-)
>>>>>
>>>>> Yes that fixes it. The latest portage ebuilds include an updated config
>>>>> file.
>>>>
>>>> Hmm ... it still complains here!
>>>>
>>>> error: error setting owner of
>>>> /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
>>>>
>>>>
>>>> This is my /etc/logrotate.d/elog-save-summary:
>>>> ===================================
>>>> /var/log/portage/elog/summary.log {
>>>>
>>>>  su portage portage
>>>>  
>>>>     missingok
>>>>     nocreate
>>>>     delaycompress
>>>>
>>>> }
>>>> ===================================
>>>>
>>>> # ls -la /var/log/portage/elog/summary.log
>>>> -rw-rw-r-- 1 root portage 4326 Aug  6 09:44
>>>> /var/log/portage/elog/summary.log
>>>>
>>>> Can you see anything amiss?
>>>
>>> At least on my system, /var/log/portage has the following permissions:
>>> drwxr-xr-x root root
>>>
>>> Only root can write, therefore the config must read
>>>
>>> /var/log/portage/elog/summary.log {
>>>  su root portage
>>>  missingok
>>>  nocreate
>>>  delaycompress
>>> }
>>
>> The latest logrotate update wanted to change the above line from su root 
>> portage to su portage portage ...
>>
>> Should I be changing the ownership of /var/log/portage and /var/log/portage 
>> elog?
> 
> Unless portage now drops privileges from root:portage to portage:portage
> for writing logs, no one except root should be allowed to write in
> /var/log/portage. So, from my point of view, the answer is no.
> 
> It seems so:
> https://bugs.gentoo.org/show_bug.cgi?id=374287
> https://bugs.gentoo.org/show_bug.cgi?id=378451
> 
> This version of portage has just been stabilized this week.
> 
> Regards,
> Florian Philipp
> 

Argh, sorry. I just saw that I forgot to delete the first paragraph
after looking at portage's changelog. The answer is yes, not no. ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]