On Sun, 17 Apr 2005, Rainer Zocholl wrote:
> Everytime(!) i upgrade debian logcheck i run into the error
> that logcheck is trying to generate its lockfile at a
> forbidden location.
> The error message/mail is a bit missleading too.
on debian systems by default belows dir is writable for world:
ls -ld /var/lock
drwxrwxrwt 4 root root 4096 2005-04-18 09:02 /var/lock
> When will that error be fixed? (I think i reported it already several
> weeks a ago).
care to add a pointer to that report?
well your system seems broken, you can fix its permissions easily.
[further rant snipped]
> Is it a so common (dangerous) practise to allow every body to
> litter "/var/lock" with its private lockfiles? Allowing everybody
> to place a link to an unwanted file with the name of
> a root lock file? So when root changes the (old) lock, it
> changes the "unwanted" file too etc... or it's easy to block root
> by placing a lock file with the same name root would test when
> everybody can write to "/var/lock".
well it's a bit hard to follow aboves flow. i try to summarize
* if /var/lock is not world writable, one should have a dir below
for one owns needs.
* if /var/lock is world writable, one could block logcheck runs.
> Decription:
>
> After update logcheck i always get this error mail:
>
> ------------------------------------------------------------
>
> Warning: If you are seeing this message, your log files may not have been
> checked!
>
> Details:
> Failed to get lockfile: /var/lock/logcheck.lock
>
> Check temporary directory:
>
> declare -x HOME="/var/lib/logcheck"
> declare -x LOGNAME="logcheck"
> declare -x MAILTO="root"
> declare -x OLDPWD
> declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
> declare -x PWD="/var/lib/logcheck"
> declare -x SHELL="/bin/sh"
> declare -x SHLVL="2"
>
> -----------------------------------------------------------------------
that mail is pretty clear.
why is it misleading?
> Solution:
>
> you must edit the script(!) as logcheck has as security flaw
> and tries to place it's lock file under /var/lock/ which is
> -of course- only allowed for root!
wrong assumption for any sarge default install.
> You must create a directory "logcheck" under /var/lock/
>
> mkdir /var/lock/logcheck
> chown logcheck:logcheck /var/lock/logcheck
> chmod 755 /var/lock/logcheck
todd what do you think about that dir?
sounds ok for me,
but i don't get why you paranoid guy show your logcheck run
to world, why not use 750 above??
> And edit the script(!) like this:
>
>
> [23:29:49]yoda:/etc/logcheck# diff -Nau /usr/sbin/logcheck
> /usr/sbin/logcheck.ori
> --- /usr/sbin/logcheck 2005-04-16 23:29:36.000000000 +0200
> +++ /usr/sbin/logcheck.ori 2005-04-03 01:00:14.000000000 +0200
> @@ -81,7 +81,7 @@
> SORTUNIQ=0
> SUPPORT_CRACKING_IGNORE=0
> SYSLOGSUMMARY=0
> -LOCKFILE="/var/lock/logcheck/logcheck"
> +LOCKFILE="/var/lock/logcheck"
>
> # Carry out the clean up tasks
> cleanup() {
hehe, you diffed in the wrong order.
but anyway that part is clear.
> --------------------------------------------------------------
>
>
> Maybe it would ease use a lot if "LOCKFILE" is
> set in /etc/logcheck/logcheck.conf too?
no,
that file is already long enough,
we don't want stupid config options for the user.
that should just work on runtime.
--
maks
ps i don't get your nospam stuff,
perhaps you'll read your bug report.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
