Package: webalizer Version: 2.23.05-1 Severity: normal Dear Maintainer,
we have configured our logrotate to use the "dateext" flag for the Apache access.log, that is, our logs are named as follows: dev2.iserv.eu ~ # ll /var/log/apache2/access.log* --sort=time | head -rw-r----- 1 root adm 4929419 Jan 30 14:20 /var/log/apache2/access.log lrwxrwxrwx 1 root root 36 Jan 30 00:00 /var/log/apache2/access.log.1 -> /var/log/apache2/access.log-20140130 -rw-r----- 1 root adm 9281394 Jan 29 23:59 /var/log/apache2/access.log-20140130 -rw-r----- 1 root adm 223778 Jan 29 00:00 /var/log/apache2/access.log-20140129.gz -rw-r----- 1 root adm 199630 Jan 27 23:59 /var/log/apache2/access.log-20140128.gz We want webalizer to always read the last complete log (access.log.1 if you don't use the "dateext" flag) and so we've written a shell script that sets up a symlink after the log has been rotated (see the symlink access.log.1 in the ls output above). This worked fine until we upgraded our machines to Debian wheezy; since then, webalizer no longer works. If I run the command manually I get this error message: dev2.iserv.eu ~ # LANG=C /usr/bin/webalizer -c /etc/webalizer/webalizer.conf Webalizer V2.23-05 (Linux 3.10-0.bpo.3-amd64 x86_64) locale: /var/log/apache2/access.log.1 Error: Can't open log file /var/log/apache2/access.log.1 (symlink) I assume this is related to a symlink vulnerability that I've read about in another bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359745). I don't see why a symlinked log would be unsafe though. Is it possible that the fix for the symlink vulnerability broke this unnecessarily? Could the original behaviour be restored so that our configuration works again? -- System Information: Debian Release: 7.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.10-0.bpo.3-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages webalizer depends on: ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38 ii libdb5.1 5.1.29-5 ii libgd2-xpm 2.0.36~rc1~dfsg-6.1 ii libgeoip1 1.4.8+dfsg-3 ii libpng12-0 1.2.49-1 ii zlib1g 1:1.2.7.dfsg-13 webalizer recommends no packages. Versions of packages webalizer suggests: ii apache2-mpm-prefork [httpd] 2.2.22-13 -- debconf information: * webalizer/logfile: /var/log/apache2/access.log.1 * webalizer/doc_title: Webserver Usage statistics for webalizer/upgrading: * webalizer/dnscache: false * webalizer/directory: /var/www/webalizer webalizer/upgrade2011030: -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
