Hi Diego,
thans for the hint. I've just uploaded a package where /var/log/jmodeltest is
set to 1777.
Kind regards
Andreas.
On Fri, May 27, 2016 at 06:39:27PM +0200, Diego Darriba wrote:
> Hi Andreas,
>
> Log files can be used as checkpoint files for restarting a failed execution,
> and also for checking
> PhyML output in case of an external error. The name of the log files is the
> name of the input
> alignment followed by the timestamp. There is no reason for using this naming
> convention, apart from
> being more user-friendly, so they could be randomly generated as well.
>
> I'd suggest to use /var/log/jmodeltest rather than home directory by default,
> because probably
> nobody expects a tool to automatically generate files there. The user can
> change the log directory
> or disable logging in jmodeltest.conf file.
>
> Best Regards,
> Diego.
>
> On 25.05.2016 08:19, Andreas Tille wrote:
> > Hi Diego,
> >
> > I received a bug report about the way I've choosen to enable logging for
> > jmodeltest. Since in the dist.dir is under /usr and you should be able
> > to mount /usr readonly you can not write logging files there. So I
> > decided to do the logging to /var/log/jmodeltest and did the mistake
> > to set permissions to 777 instead to 1777 (see below or the full bug
> > report[1]).
> >
> > Before I might upload a fix I would like to know the role of these
> > logfiles, its intention and whether you might consider using mktemp to
> > safely create log names with unpredictable names.
> >
> > Another solution would be to keep the logs in users homes in case the
> > log is for the single user anyway.
> >
> > Kind regards
> >
> > Andreas.
> >
> > [1] https://bugs.debian.org/825119
> >
> > ----- Forwarded message from Andreas Beckmann <[email protected]> -----
> >
> > Date: Tue, 24 May 2016 18:19:04 +0200
> > From: Andreas Beckmann <[email protected]>
> > To: Andreas Tille <[email protected]>, [email protected]
> > Subject: Re: Bug#825119: jmodeltest: creates world writable
> > /var/log/jmodeltest
> >
> > On 2016-05-24 17:10, Andreas Tille wrote:
> >> Hi Andreas,
> >>
> >> thanks for running these tests. Could you be please be more verbose in
> >> how far it is a problem if a program enables users to write logs on a
> >> collective place which is the intention of enabling users to write
> >> there?
> >>
> >> I confirm that its possible for other users to delete / change logs.
> >> Well, yes, that could happen but its not security relevant in my eyes.
> >> Any better suggestion is welcome.
> >
> > Perhaps you want 1777?
> >
> > Are the logfile names predictable? Created in a safe way?
> >
> > eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
> > bob $ run_jmodeltest # overwrites /home/bob/important.file ?
> >
> >
> > Andreas
> >
> >
> >
> > ----- End forwarded message -----
> >
>
>
--
http://fam-tille.de
