Package: tinyproxy
Version: 1.10.0-2
Severity: critical
Justification: breaks unrelated software
Dear Maintainer,
* What led up to the situation?
I configured tinyproxy without a PidFile.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I removed the PidFile configuration option from tinyproxy.conf
* What was the outcome of this action?
The next run of logrotate changed the owner and group of my root
directory (`/`) to tinyproxy:tinyproxy.
* What outcome did you expect instead?
I expected that not to happen.
Example demonstrating the issue in a fresh VM:
root@debian-2gb-fsn1-1:~# stat /
File: /
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2 Links: 18
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-12-08 05:11:02.514309382 +0100
Modify: 2020-01-06 01:51:41.524000000 +0100
Change: 2020-01-06 01:51:41.524000000 +0100
Birth: -
root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy
Selecting previously unselected package tinyproxy-bin.
(Reading database ... 35006 files and directories currently installed.)
Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ...
Unpacking tinyproxy-bin (1.10.0-2) ...
Selecting previously unselected package tinyproxy.
Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ...
Unpacking tinyproxy (1.10.0-2) ...
Setting up tinyproxy-bin (1.10.0-2) ...
Setting up tinyproxy (1.10.0-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service →
/lib/systemd/system/tinyproxy.service.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u2) ...
root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf
# PidFile: Write the PID of the main tinyproxy thread to this file so it
PidFile "/run/tinyproxy/tinyproxy.pid"
root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf
root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf
root@debian-2gb-fsn1-1:~# systemctl start logrotate
root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status
root@debian-2gb-fsn1-1:~# systemctl start logrotate
root@debian-2gb-fsn1-1:~# stat /
File: /
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2 Links: 18
Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy)
Access: 2019-12-08 05:11:02.514309382 +0100
Modify: 2020-01-06 01:51:41.524000000 +0100
Change: 2020-01-06 01:53:05.254019354 +0100
Birth: -
Note that tinyproxy does not start up with this configuration, because systemd
expects the PidFile to appear. For the machine where I noticed this issue I also
adjusted the systemd unit to be of `Type=simple`.
While this configuration might not be common and not encountered by the average
user it introduced a possible security hole in my system and even if this might
not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles:
Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path
transition / → /var during canonicalization of /var.
Thus I feel the severity of `critical` is justified for this bug report.
Best regards
Tim Düsterhus
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tinyproxy depends on:
ii adduser 3.118
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii tinyproxy-bin 1.10.0-2
tinyproxy recommends no packages.
tinyproxy suggests no packages.
-- Configuration Files:
/etc/tinyproxy/tinyproxy.conf changed:
User tinyproxy
Group tinyproxy
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
-- no debconf information
