Re: privilege escalation and potential data loss in logrotate

To: Holger Levsen <holger@layer-acht.org>
Cc: debian-devel@lists.debian.org, team@security.debian.org
Subject: Re: privilege escalation and potential data loss in logrotate
From: Florian Zumbiehl <florz@florz.de>
Date: Sat, 11 Dec 2010 23:19:00 +0100
Message-id: <[🔎] 20101211221900.GL3501@florz.florz.dyndns.org>
In-reply-to: <[🔎] 201012111242.37799.holger@layer-acht.org>
References: <20101120072344.GA20671@florz.florz.dyndns.org> <[🔎] AANLkTikZ7u+2bxzJwDnS9FndEVEg-=HFeEmS3L-ZiqwL@mail.gmail.com> <[🔎] 20101211010127.GE3501@florz.florz.dyndns.org> <[🔎] 201012111242.37799.holger@layer-acht.org>

Hi,

> On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote:
> > I was up to, plus anyone on d-qa who read my mail there also could have
> > pointed me in the right direction, so I won't take the blame for that.
> 
> I've read your mail to debian-qa some weeks ago and I've read the bug report. 
> Which stated, that the bug in logrotate was fixed in squeeze and that there 
> was no issue in the default setup in lenny neither:
> 
> "In the default setup, this, of course, shouldn't be a problem, since
> logrotate is run with an effective group of root, and any member of that
> group will usually have access to the log files anyway. When logrotate
> is used by normal users, though, this could be a security problem." (from the 
> initial mail to 388608, 3rd text paragraph)
> 
> And so I thought, so what?

Good point. The scope of this bug report drifted/widened a bit over
time, partly due to changes in current versions of logrotate, so
it seems that the original bug report can be quite a bit misleading
regarding the scope of the problem.

And actually I think that the problem is wider than what's currently
covered by that bug report and some more fundamental changes should
be made to logrotate to ensure security under a wider range of
circumstances. But for now I am trying to focus on getting fixed what is
known to be exploitable. When that's done, I may also try to get some
public discussion started on further improvements I suggested to the
maintainer a year ago.

So, let me clarify that the first point of my mail to d-qa refers
to the default setup after you install postgres in the specific
case I tested and most likely also in case of all the other packages
affected:

| 1. There is a privilege escalation vulnerability in stable's logrotate,
|    verified to work for switching from the postgres user to root, probably
|    affecting the system users of about 40 packages. A fix for this has
|    been in testing for about a year now, the original bug report and a
|    first patch have been in the bug tracker for about four years now.

Florian

Reply to:

References:
- Re: privilege escalation and potential data loss in logrotate
  - From: Sandro Tosi <morph@debian.org>
- Re: privilege escalation and potential data loss in logrotate
  - From: Florian Zumbiehl <florz@florz.de>
- Re: privilege escalation and potential data loss in logrotate
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: apt-diff: a tool to diff filesystem content against APT
Next by Date: Cara efektif promosi ke Facebook
Previous by thread: Re: privilege escalation and potential data loss in logrotate
Next by thread: Dijital Baskıda İnanılmaz Fiyatlar
Index(es):
- Date
- Thread