From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qy28V-0004KU-4c for garchives@archives.gentoo.org; Mon, 29 Aug 2011 13:44:23 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9CFE221C0B4; Mon, 29 Aug 2011 13:44:09 +0000 (UTC) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by pigeon.gentoo.org (Postfix) with ESMTP id 8016121C08F for ; Mon, 29 Aug 2011 13:42:41 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.messagingengine.com (Postfix) with ESMTP id 127D22084F for ; Mon, 29 Aug 2011 09:42:40 -0400 (EDT) Received: from frontend1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Mon, 29 Aug 2011 09:42:40 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=gBh9 2W5e03xgoPad6w3GyREajC4=; b=BNwfTvbcuc57czl5ohGtm+kzWU3OHmmprtWp TOIvmz3N+MLUKcNVCQ9KM0tSWsGH/JMVRRJzCQTuL0GYNhfnY+BIvlPCIH8SOU99 BqMo4mTolJ6s5DLgUzwHlBgvs6enEQwkTskxxqmtzb8N7NUvQRsWV2Kv1ZXDlyX+ MZtvenw= X-Sasl-enc: nGrLSA15D8HEKqb6/OuwSWCdVJEuVTvmqyVGO8VZ87tv 1314625358 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 541FFA002E3 for ; Mon, 29 Aug 2011 09:42:38 -0400 (EDT) Message-ID: <4E5B9740.8050904@binarywings.net> Date: Mon, 29 Aug 2011 15:42:24 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110730 Lightning/1.0b3pre Thunderbird/3.1.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] logrotate: /var/log/portage/elog "insecure permissions"? References: <4E3C0AD2.6080409@gmail.com> <201108070122.11290.michaelkintzios@gmail.com> <4E3EAD32.1060106@binarywings.net> <201108281214.16339.michaelkintzios@gmail.com> <4E5A8C84.5080605@binarywings.net> In-Reply-To: <4E5A8C84.5080605@binarywings.net> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9A6E3DD7019634722068F72F" X-Archives-Salt: X-Archives-Hash: 3c0a94a6d6d878a829c06249ae0f087c This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9A6E3DD7019634722068F72F Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 28.08.2011 20:44, schrieb Florian Philipp: > Am 28.08.2011 13:14, schrieb Mick: >> On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: >>> Am 07.08.2011 02:22, schrieb Mick: >>>> On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: >>>>> On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: >>>>>> Yes, this was introduced in 3.8.0 to fix security issues [1]. Chan= ge >>>>>> your config to look like this: >>>>>> /var/log/portage/elog/summary.log { >>>>>> su portage portage >>>>>> ... >>>>>> } >>>>>> >>>>>> Disclaimer: I've not really tried this (yet) but I think I'm able = to >>>>>> read changelogs and man-pages. ;-) >>>>> >>>>> Yes that fixes it. The latest portage ebuilds include an updated co= nfig >>>>> file. >>>> >>>> Hmm ... it still complains here! >>>> >>>> error: error setting owner of >>>> /var/log/portage/elog/summary.log-20110801.gz: Operation not permitt= ed >>>> >>>> >>>> This is my /etc/logrotate.d/elog-save-summary: >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> /var/log/portage/elog/summary.log { >>>> >>>> su portage portage >>>> =20 >>>> missingok >>>> nocreate >>>> delaycompress >>>> >>>> } >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> >>>> # ls -la /var/log/portage/elog/summary.log >>>> -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 >>>> /var/log/portage/elog/summary.log >>>> >>>> Can you see anything amiss? >>> >>> At least on my system, /var/log/portage has the following permissions= : >>> drwxr-xr-x root root >>> >>> Only root can write, therefore the config must read >>> >>> /var/log/portage/elog/summary.log { >>> su root portage >>> missingok >>> nocreate >>> delaycompress >>> } >> >> The latest logrotate update wanted to change the above line from su ro= ot=20 >> portage to su portage portage ... >> >> Should I be changing the ownership of /var/log/portage and /var/log/po= rtage=20 >> elog? >=20 > Unless portage now drops privileges from root:portage to portage:portag= e > for writing logs, no one except root should be allowed to write in > /var/log/portage. So, from my point of view, the answer is no. >=20 > It seems so: > https://bugs.gentoo.org/show_bug.cgi?id=3D374287 > https://bugs.gentoo.org/show_bug.cgi?id=3D378451 >=20 > This version of portage has just been stabilized this week. >=20 > Regards, > Florian Philipp >=20 Argh, sorry. I just saw that I forgot to delete the first paragraph after looking at portage's changelog. The answer is yes, not no. ;) --------------enig9A6E3DD7019634722068F72F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5bl0YACgkQqs4uOUlOuU/VkgCeN3HtcTPz7Ps2OzbXGii1Z8x7 +AkAn0TjSM8wubaTz32UrsuQuv34cG6D =XcjF -----END PGP SIGNATURE----- --------------enig9A6E3DD7019634722068F72F--