[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: privilege escalation and potential data loss in logrotate


> On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote:
> > I was up to, plus anyone on d-qa who read my mail there also could have
> > pointed me in the right direction, so I won't take the blame for that.
> I've read your mail to debian-qa some weeks ago and I've read the bug report. 
> Which stated, that the bug in logrotate was fixed in squeeze and that there 
> was no issue in the default setup in lenny neither:
> "In the default setup, this, of course, shouldn't be a problem, since
> logrotate is run with an effective group of root, and any member of that
> group will usually have access to the log files anyway. When logrotate
> is used by normal users, though, this could be a security problem." (from the 
> initial mail to 388608, 3rd text paragraph)
> And so I thought, so what?

Good point. The scope of this bug report drifted/widened a bit over
time, partly due to changes in current versions of logrotate, so
it seems that the original bug report can be quite a bit misleading
regarding the scope of the problem.

And actually I think that the problem is wider than what's currently
covered by that bug report and some more fundamental changes should
be made to logrotate to ensure security under a wider range of
circumstances. But for now I am trying to focus on getting fixed what is
known to be exploitable. When that's done, I may also try to get some
public discussion started on further improvements I suggested to the
maintainer a year ago.

So, let me clarify that the first point of my mail to d-qa refers
to the default setup after you install postgres in the specific
case I tested and most likely also in case of all the other packages

| 1. There is a privilege escalation vulnerability in stable's logrotate,
|    verified to work for switching from the postgres user to root, probably
|    affecting the system users of about 40 packages. A fix for this has
|    been in testing for about a year now, the original bug report and a
|    first patch have been in the bug tracker for about four years now.


Reply to: