Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 28.08.2011 20:44, schrieb Florian Philipp: Am 28.08.2011 13:14, schrieb Mick: On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: Am 07.08.2011 02:22, schrieb Mick: On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? At least on my system, /var/log/portage has the following permissions: drwxr-xr-x root root Only root can write, therefore the config must read /var/log/portage/elog/summary.log { su root portage missingok nocreate delaycompress } The latest logrotate update wanted to change the above line from su root portage to su portage portage ... Should I be changing the ownership of /var/log/portage and /var/log/portage elog? Unless portage now drops privileges from root:portage to portage:portage for writing logs, no one except root should be allowed to write in /var/log/portage. So, from my point of view, the answer is no. It seems so: https://bugs.gentoo.org/show_bug.cgi?id=374287 https://bugs.gentoo.org/show_bug.cgi?id=378451 This version of portage has just been stabilized this week. Regards, Florian Philipp Argh, sorry. I just saw that I forgot to delete the first paragraph after looking at portage's changelog. The answer is yes, not no. ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: Am 07.08.2011 02:22, schrieb Mick: On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? At least on my system, /var/log/portage has the following permissions: drwxr-xr-x root root Only root can write, therefore the config must read /var/log/portage/elog/summary.log { su root portage missingok nocreate delaycompress } The latest logrotate update wanted to change the above line from su root portage to su portage portage ... Should I be changing the ownership of /var/log/portage and /var/log/portage elog? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 28.08.2011 13:14, schrieb Mick: On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: Am 07.08.2011 02:22, schrieb Mick: On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? At least on my system, /var/log/portage has the following permissions: drwxr-xr-x root root Only root can write, therefore the config must read /var/log/portage/elog/summary.log { su root portage missingok nocreate delaycompress } The latest logrotate update wanted to change the above line from su root portage to su portage portage ... Should I be changing the ownership of /var/log/portage and /var/log/portage elog? Unless portage now drops privileges from root:portage to portage:portage for writing logs, no one except root should be allowed to write in /var/log/portage. So, from my point of view, the answer is no. It seems so: https://bugs.gentoo.org/show_bug.cgi?id=374287 https://bugs.gentoo.org/show_bug.cgi?id=378451 This version of portage has just been stabilized this week. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Sunday 07 Aug 2011 16:20:18 Florian Philipp wrote: Am 07.08.2011 02:22, schrieb Mick: On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? At least on my system, /var/log/portage has the following permissions: drwxr-xr-x root root Only root can write, therefore the config must read /var/log/portage/elog/summary.log { su root portage missingok nocreate delaycompress } Hope this helps, Florian Philipp Thanks for this Florian, It is interesting that two of my machines actually are set up like this: drwxrws--- 2 portage portage 240 Aug 9 21:07 elog and /var/log/portage is also set up like this: drwxrws--- 4 portage portage 7152 Aug 7 18:04 portage However, I can't remember if I set it up like that myself (these are old machines). The latest and newest installation on a third box looks just like yours. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 07.08.2011 02:22, schrieb Mick: On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? At least on my system, /var/log/portage has the following permissions: drwxr-xr-x root root Only root can write, therefore the config must read /var/log/portage/elog/summary.log { su root portage missingok nocreate delaycompress } Hope this helps, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Friday 05 Aug 2011 23:08:38 Neil Bothwick wrote: On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. Hmm ... it still complains here! error: error setting owner of /var/log/portage/elog/summary.log-20110801.gz: Operation not permitted This is my /etc/logrotate.d/elog-save-summary: === /var/log/portage/elog/summary.log { su portage portage missingok nocreate delaycompress } === # ls -la /var/log/portage/elog/summary.log -rw-rw-r-- 1 root portage 4326 Aug 6 09:44 /var/log/portage/elog/summary.log Can you see anything amiss? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Hi, today I received this mail from cron: --- error: skipping /var/log/portage/elog/summary.log because parent directory has insecure permissions (It's world writable or writable by group which is not root) Set su directive in config file to tell logrotate which user/group should be used for rotation. --- My /var/log/portage/elog has this permissions: drwxrws--- 2 portage portage 4096 Jun 1 2010 elog What is wrong with it? I'm pretty sure I did not touch it for years so I'm surprised logrotate is suddenly complaining (it has been updated recently, that might be reason). Anyway, how should those permissions look like to make logrotate (and cron) happy? Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
Am 05.08.2011 17:22, schrieb Jarry: Hi, today I received this mail from cron: --- error: skipping /var/log/portage/elog/summary.log because parent directory has insecure permissions (It's world writable or writable by group which is not root) Set su directive in config file to tell logrotate which user/group should be used for rotation. --- My /var/log/portage/elog has this permissions: drwxrws--- 2 portage portage 4096 Jun 1 2010 elog What is wrong with it? I'm pretty sure I did not touch it for years so I'm surprised logrotate is suddenly complaining (it has been updated recently, that might be reason). Anyway, how should those permissions look like to make logrotate (and cron) happy? Jarry Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) [1] https://bugzilla.redhat.com/show_bug.cgi?id=680799 Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] logrotate: /var/log/portage/elog insecure permissions?
On Fri, 05 Aug 2011 17:59:00 +0200, Florian Philipp wrote: Yes, this was introduced in 3.8.0 to fix security issues [1]. Change your config to look like this: /var/log/portage/elog/summary.log { su portage portage ... } Disclaimer: I've not really tried this (yet) but I think I'm able to read changelogs and man-pages. ;-) Yes that fixes it. The latest portage ebuilds include an updated config file. -- Neil Bothwick There's no such thing as a free lunch ___Steve Ballmer, choking on a linuxburger signature.asc Description: PGP signature