Package: tinyproxy Version: 1.10.0-2 Severity: critical Justification: breaks unrelated software
Dear Maintainer, * What led up to the situation? I configured tinyproxy without a PidFile. * What exactly did you do (or not do) that was effective (or ineffective)? I removed the PidFile configuration option from tinyproxy.conf * What was the outcome of this action? The next run of logrotate changed the owner and group of my root directory (`/`) to tinyproxy:tinyproxy. * What outcome did you expect instead? I expected that not to happen. Example demonstrating the issue in a fresh VM: root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:51:41.524000000 +0100 Birth: - root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy Selecting previously unselected package tinyproxy-bin. (Reading database ... 35006 files and directories currently installed.) Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ... Unpacking tinyproxy-bin (1.10.0-2) ... Selecting previously unselected package tinyproxy. Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ... Unpacking tinyproxy (1.10.0-2) ... Setting up tinyproxy-bin (1.10.0-2) ... Setting up tinyproxy (1.10.0-2) ... Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service → /lib/systemd/system/tinyproxy.service. Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u2) ... root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf # PidFile: Write the PID of the main tinyproxy thread to this file so it PidFile "/run/tinyproxy/tinyproxy.pid" root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:53:05.254019354 +0100 Birth: - Note that tinyproxy does not start up with this configuration, because systemd expects the PidFile to appear. For the machine where I noticed this issue I also adjusted the systemd unit to be of `Type=simple`. While this configuration might not be common and not encountered by the average user it introduced a possible security hole in my system and even if this might not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles: Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path transition / → /var during canonicalization of /var. Thus I feel the severity of `critical` is justified for this bug report. Best regards Tim Düsterhus -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages tinyproxy depends on: ii adduser 3.118 ii logrotate 3.14.0-4 ii lsb-base 10.2019051400 ii tinyproxy-bin 1.10.0-2 tinyproxy recommends no packages. tinyproxy suggests no packages. -- Configuration Files: /etc/tinyproxy/tinyproxy.conf changed: User tinyproxy Group tinyproxy Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" LogFile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" ConnectPort 443 ConnectPort 563 -- no debconf information