Hi, > On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote: > > I was up to, plus anyone on d-qa who read my mail there also could have > > pointed me in the right direction, so I won't take the blame for that. > > I've read your mail to debian-qa some weeks ago and I've read the bug report. > Which stated, that the bug in logrotate was fixed in squeeze and that there > was no issue in the default setup in lenny neither: > > "In the default setup, this, of course, shouldn't be a problem, since > logrotate is run with an effective group of root, and any member of that > group will usually have access to the log files anyway. When logrotate > is used by normal users, though, this could be a security problem." (from the > initial mail to 388608, 3rd text paragraph) > > And so I thought, so what?
Good point. The scope of this bug report drifted/widened a bit over time, partly due to changes in current versions of logrotate, so it seems that the original bug report can be quite a bit misleading regarding the scope of the problem. And actually I think that the problem is wider than what's currently covered by that bug report and some more fundamental changes should be made to logrotate to ensure security under a wider range of circumstances. But for now I am trying to focus on getting fixed what is known to be exploitable. When that's done, I may also try to get some public discussion started on further improvements I suggested to the maintainer a year ago. So, let me clarify that the first point of my mail to d-qa refers to the default setup after you install postgres in the specific case I tested and most likely also in case of all the other packages affected: | 1. There is a privilege escalation vulnerability in stable's logrotate, | verified to work for switching from the postgres user to root, probably | affecting the system users of about 40 packages. A fix for this has | been in testing for about a year now, the original bug report and a | first patch have been in the bug tracker for about four years now. Florian -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211221900.gl3...@florz.florz.dyndns.org
