Bug#1014732: logrotate: daily mail “error: state file /var/lib/logrotate/status is world-readable and thus…”

2022-08-05 Thread Thorsten Glaser 
Dixi quod…

>I got a new version of logrotate on multiple systems due to the
>security/point release, and since then I get, every night, from
>all of them, this:

After a while, I can now say it’s only once for every system,
but I had upgraded several in waves and over nights, so the
eMails spread out enough for me to think it was occurring for
every system every night.

I guess someone forgot a chmod in postinst or something. The
proposed patch is certainly overkill if not even wrong.

bye,
//mirabilos
-- 
15:41⎜ Somebody write a testsuite for helloworld :-)

Bug#1014732: logrotate: daily mail "error: state file /var/lib/logrotate/status is world-readable and thus…"

2022-07-14 Thread Patrik Schindler 
I observe the same behavior. 

Since there seems updated package being availabe, I apparently need to fix the 
logrotate script myself to not get mail each other day from multiple dozens of 
machines…

:wq! PoC

Bug#1014732: logrotate: daily mail “error: state file /var/lib/logrotate/status is world-readable and thus…”

2022-07-10 Thread Brad Barnett 


Can confirm this bug here, and an updated patch fixes this.

See:

https://bugzilla.redhat.com/show_bug.cgi?id=2090926

And:

https://github.com/logrotate/logrotate/commit/31cf1099ab8514dfcae5a980bc77352edd5292f8


Suggest at the very least, this is updated in Debian for the next point
release.  This is a very misleading error message as it stands.  Very.

Bug#1014732: logrotate: daily mail “error: state file /var/lib/logrotate/status is world-readable and thus…”

2022-07-10 Thread Thorsten Glaser 
Package: logrotate
Version: 3.18.0-2+deb11u1
Severity: important
X-Debbugs-Cc: t...@mirbsd.de, t...@security.debian.org

I got a new version of logrotate on multiple systems due to the
security/point release, and since then I get, every night, from
all of them, this:

│Subject: Anacron job 'cron.daily' on $hostname
│
│/etc/cron.daily/logrotate:
│error: state file /var/lib/logrotate/status is world-readable and thus can be 
locked from other unprivileged
│users. Skipping lock acquisition...

This is new and very annoying.

And wrong:

$ lo /var/lib/logrotate/
total 12
drwxr-xr-x  2 root root 4096 10. Jul 07:55 ./
drwxr-xr-x 80 root root 4096 10. Jun 00:01 ../
-rw-r-  1 root root 2952 10. Jul 07:55 status

(At least it is wrong now; no idea if it is also wrong during
that cronjob’s run.)

It should be noted I have both cron and anacron installed, in
case that matters.


-- Package-specific info:
Contents of /etc/logrotate.d
total 28
-rw-r--r-- 1 root root  120 Jan 30  2021 alternatives
-rw-r--r-- 1 root root  173 Jun 10  2021 apt
-rw-r--r-- 1 root root  130 Oct 14  2019 btmp
-rw-r--r-- 1 root root  112 Jan 30  2021 dpkg
-rw-r--r-- 1 root root 1487 Jan 19  2021 inetutils-syslogd
-rw-r--r-- 1 root root  298 Apr 21  2021 stunnel4
-rw-r--r-- 1 root root  145 Oct 14  2019 wtmp


-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-14-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), 
LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages logrotate depends on:
ii  anacron 2.3-30
ii  cron [cron-daemon]  3.0pl1-137
ii  libacl1 2.2.53-10
ii  libc6   2.31-13+deb11u3
ii  libpopt01.18-2
ii  libselinux1 3.1-3

Versions of packages logrotate recommends:
ii  bsd-mailx [mailx]  8.1.2-0.20180807cvs-2

logrotate suggests no packages.

-- no debconf information