Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 28.08.2011 20:44, schrieb Florian Philipp:
Am 28.08.2011 13:14, schrieb Mick:
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
Am 07.08.2011 02:22, schrieb Mick:
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of
/var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44
/var/log/portage/elog/summary.log
Can you see anything amiss?
At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root
Only root can write, therefore the config must read
/var/log/portage/elog/summary.log {
su root portage
missingok
nocreate
delaycompress
}
The latest logrotate update wanted to change the above line from su root
portage to su portage portage ...
Should I be changing the ownership of /var/log/portage and /var/log/portage
elog?
Unless portage now drops privileges from root:portage to portage:portage
for writing logs, no one except root should be allowed to write in
/var/log/portage. So, from my point of view, the answer is no.
It seems so:
https://bugs.gentoo.org/show_bug.cgi?id=374287
https://bugs.gentoo.org/show_bug.cgi?id=378451
This version of portage has just been stabilized this week.
Regards,
Florian Philipp
Argh, sorry. I just saw that I forgot to delete the first paragraph
after looking at portage's changelog. The answer is yes, not no. ;)
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
Am 07.08.2011 02:22, schrieb Mick:
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of
/var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44
/var/log/portage/elog/summary.log
Can you see anything amiss?
At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root
Only root can write, therefore the config must read
/var/log/portage/elog/summary.log {
su root portage
missingok
nocreate
delaycompress
}
The latest logrotate update wanted to change the above line from su root
portage to su portage portage ...
Should I be changing the ownership of /var/log/portage and /var/log/portage
elog?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 28.08.2011 13:14, schrieb Mick:
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
Am 07.08.2011 02:22, schrieb Mick:
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of
/var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44
/var/log/portage/elog/summary.log
Can you see anything amiss?
At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root
Only root can write, therefore the config must read
/var/log/portage/elog/summary.log {
su root portage
missingok
nocreate
delaycompress
}
The latest logrotate update wanted to change the above line from su root
portage to su portage portage ...
Should I be changing the ownership of /var/log/portage and /var/log/portage
elog?
Unless portage now drops privileges from root:portage to portage:portage
for writing logs, no one except root should be allowed to write in
/var/log/portage. So, from my point of view, the answer is no.
It seems so:
https://bugs.gentoo.org/show_bug.cgi?id=374287
https://bugs.gentoo.org/show_bug.cgi?id=378451
This version of portage has just been stabilized this week.
Regards,
Florian Philipp
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote:
Am 07.08.2011 02:22, schrieb Mick:
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of
/var/log/portage/elog/summary.log-20110801.gz: Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44
/var/log/portage/elog/summary.log
Can you see anything amiss?
At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root
Only root can write, therefore the config must read
/var/log/portage/elog/summary.log {
su root portage
missingok
nocreate
delaycompress
}
Hope this helps,
Florian Philipp
Thanks for this Florian,
It is interesting that two of my machines actually are set up like this:
drwxrws--- 2 portage portage 240 Aug 9 21:07 elog
and /var/log/portage is also set up like this:
drwxrws--- 4 portage portage 7152 Aug 7 18:04 portage
However, I can't remember if I set it up like that myself (these are old
machines). The latest and newest installation on a third box looks just like
yours.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 07.08.2011 02:22, schrieb Mick:
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz:
Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log
Can you see anything amiss?
At least on my system, /var/log/portage has the following permissions:
drwxr-xr-x root root
Only root can write, therefore the config must read
/var/log/portage/elog/summary.log {
su root portage
missingok
nocreate
delaycompress
}
Hope this helps,
Florian Philipp
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote:
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
Hmm ... it still complains here!
error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz:
Operation not permitted
This is my /etc/logrotate.d/elog-save-summary:
===
/var/log/portage/elog/summary.log {
su portage portage
missingok
nocreate
delaycompress
}
===
# ls -la /var/log/portage/elog/summary.log
-rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log
Can you see anything amiss?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
[gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Hi, today I received this mail from cron: --- error: skipping /var/log/portage/elog/summary.log because parent directory has insecure permissions (It's world writable or writable by group which is not root) Set su directive in config file to tell logrotate which user/group should be used for rotation. --- My /var/log/portage/elog has this permissions: drwxrws--- 2 portage portage 4096 Jun 1 2010 elog What is wrong with it? I'm pretty sure I did not touch it for years so I'm surprised logrotate is suddenly complaining (it has been updated recently, that might be reason). Anyway, how should those permissions look like to make logrotate (and cron) happy? Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 05.08.2011 17:22, schrieb Jarry:
Hi,
today I received this mail from cron:
---
error: skipping /var/log/portage/elog/summary.log because
parent directory has insecure permissions (It's world writable
or writable by group which is not root) Set su directive
in config file to tell logrotate which user/group should be
used for rotation.
---
My /var/log/portage/elog has this permissions:
drwxrws--- 2 portage portage 4096 Jun 1 2010 elog
What is wrong with it? I'm pretty sure I did not touch it
for years so I'm surprised logrotate is suddenly complaining
(it has been updated recently, that might be reason).
Anyway, how should those permissions look like to make
logrotate (and cron) happy?
Jarry
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=680799
Regards,
Florian Philipp
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote:
Yes, this was introduced in 3.8.0 to fix security issues [1]. Change
your config to look like this:
/var/log/portage/elog/summary.log {
su portage portage
...
}
Disclaimer: I've not really tried this (yet) but I think I'm able to
read changelogs and man-pages. ;-)
Yes that fixes it. The latest portage ebuilds include an updated config
file.
--
Neil Bothwick
There's no such thing as a free lunch
___Steve Ballmer, choking on a linuxburger
signature.asc
Description: PGP signature
