Your message dated Sat, 15 Feb 2020 17:37:13 +0100 with message-id <5600812.RFdQ5ZbSH1@thyrus> and subject line Re: Bug#897388: Logs accessed files, etc. to syslog has caused the Debian Bug report #897388, regarding Logs accessed files, etc. to syslog to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 897388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897388 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Logs accessed files, etc. to syslog
- From: Anthony DeRobertis <anthony@derobert.net>
- Date: Tue, 01 May 2018 18:01:33 -0400
- Message-id: <152521209364.21758.8433702356683018312.reportbug@Zia.metrics.net>
Package: kactivitymanagerd Version: 5.12.1-1 Severity: important Similar (but nowhere near as bad as) bug #805399, ActivityManager is logging files I access to the systemd journal & syslog. Some examples: May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Creating the cache for: "applications:tora.desktop" May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Already in database? true May 1 16:43:33 Zia org.kde.ActivityManager[4152]: First update : QDateTime(2016-10-11 13:24:44.000 EDT Qt::TimeSpec(LocalTime)) May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Last update : QDateTime(2018-05-01 14:48:00.000 EDT Qt::TimeSpec(LocalTime)) May 1 16:43:33 Zia org.kde.ActivityManager[4152]: After the adjustment May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Current score : 4.5649 May 1 16:43:33 Zia org.kde.ActivityManager[4152]: First update : QDateTime(2016-10-11 13:24:44.000 EDT Qt::TimeSpec(LocalTime)) May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Last update : QDateTime(2018-05-01 14:48:00.000 EDT Qt::TimeSpec(LocalTime)) May 1 16:43:33 Zia org.kde.ActivityManager[4152]: Interval length is 0 May 1 16:43:33 Zia org.kde.ActivityManager[4152]: New score : 5.5649 May 1 16:43:33 Zia org.kde.ActivityManager[4152]: ResourceScoreUpdated: "beff6de3-1dc1-42b8-ab3d-2510f77b2ddf" "org.kde.krunner" "applications:tora.desktop" May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Creating the cache for: "/mnt/Haruhi/netadmin/HPM Retention Comparison EXPORT.pdf" May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Already in database? true May 1 17:33:32 Zia org.kde.ActivityManager[4152]: First update : QDateTime(2018-05-01 17:32:38.000 EDT Qt::TimeSpec(LocalTime)) May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Last update : QDateTime(2018-05-01 17:32:38.000 EDT Qt::TimeSpec(LocalTime)) May 1 17:33:32 Zia org.kde.ActivityManager[4152]: After the adjustment May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Current score : 0 May 1 17:33:32 Zia org.kde.ActivityManager[4152]: First update : QDateTime(2018-05-01 17:32:38.000 EDT Qt::TimeSpec(LocalTime)) May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Last update : QDateTime(2018-05-01 17:32:38.000 EDT Qt::TimeSpec(LocalTime)) May 1 17:33:32 Zia org.kde.ActivityManager[4152]: Interval length is 21 May 1 17:33:32 Zia org.kde.ActivityManager[4152]: New score : 0.35 May 1 17:33:32 Zia org.kde.ActivityManager[4152]: ResourceScoreUpdated: "beff6de3-1dc1-42b8-ab3d-2510f77b2ddf" "okular" "/mnt/Haruhi/netadmin/HPM Retention Comparison EXPORT.pdf" while hopefully the database itself is in my home director and mode go-rw, the same can't be said for syslog and journal. This violates user privacy on a multi-user system as the sysadmin is expected to read syslog, but respect the privacy of $HOME. In addition, syslog and journal are available to members of group adm, who may not have root. From the journal, it appears that kactivymanagerd may be speweing this to stdout, which is ultimately being picked up by systemd (I think that's what _TRANSPORT of stdout means): { "_EXE" : "/usr/bin/dbus-daemon", "_GID" : "1000", "__CURSOR" : "[[redacted]]", "_SYSTEMD_OWNER_UID" : "1000", "_COMM" : "dbus-daemon", "_UID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/dbus.service", "_MACHINE_ID" : "[[redacted]]", "_HOSTNAME" : "Zia", "_SYSTEMD_USER_SLICE" : "-.slice", "_BOOT_ID" : "[[redacted]]", "MESSAGE" : "Creating the cache for: \"/mnt/Haruhi/netadmin/HPM Retention Comparison EXPORT.pdf\"", "__MONOTONIC_TIMESTAMP" : "1231383365390", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_INVOCATION_ID" : "[[redacted]]", "__REALTIME_TIMESTAMP" : "1525210358022301", "_CMDLINE" : "/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "org.kde.ActivityManager", "_SYSTEMD_USER_UNIT" : "dbus.service", "PRIORITY" : "4", "_SYSTEMD_SLICE" : "user-1000.slice", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "6", "_PID" : "4152", "_STREAM_ID" : "[[redacted]]", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service" } -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (200, 'unstable'), (150, 'stable'), (100, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en_GB (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kactivitymanagerd depends on: ii kio 5.44.0-2 ii libc6 2.27-3 ii libkf5configcore5 5.44.0-1 ii libkf5coreaddons5 5.44.0-1 ii libkf5dbusaddons5 5.44.0-1 ii libkf5globalaccel5 5.44.0-1 ii libkf5i18n5 5.44.0-1 ii libkf5kiocore5 5.44.0-2 ii libkf5service-bin 5.44.0-1 ii libkf5service5 5.44.0-1 ii libkf5windowsystem5 5.44.0-1 ii libkf5xmlgui5 5.44.0-2+b1 ii libqt5core5a 5.10.1+dfsg-5 ii libqt5dbus5 5.10.1+dfsg-5 ii libqt5gui5 5.10.1+dfsg-5 ii libqt5sql5 5.10.1+dfsg-5 ii libqt5sql5-sqlite 5.10.1+dfsg-5 ii libqt5widgets5 5.10.1+dfsg-5 ii libstdc++6 8-20180425-1 kactivitymanagerd recommends no packages. kactivitymanagerd suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 897388-done@bugs.debian.org
- Subject: Re: Bug#897388: Logs accessed files, etc. to syslog
- From: Pino Toscano <pino@debian.org>
- Date: Sat, 15 Feb 2020 17:37:13 +0100
- Message-id: <5600812.RFdQ5ZbSH1@thyrus>
- In-reply-to: <20180502110328.mfvcjlodsr4ra7cq@neoptolemo.gnuservers.com.ar>
- References: <152521209364.21758.8433702356683018312.reportbug@Zia.metrics.net> <20180502110328.mfvcjlodsr4ra7cq@neoptolemo.gnuservers.com.ar>
Source: kactivitymanagerd Source-Version: 5.13.1-1 In data mercoledì 2 maggio 2018 13:03:28 CET, Maximiliano Curia ha scritto: > Control: forwarded -1 https://phabricator.kde.org/D12656 > > I'm not sure if bts link supports phabricator, let's see how this goes. Sadly it does not... > El 2018-05-01 a las 18:01 -0400, Anthony DeRobertis escribió: > > Package: kactivitymanagerd > > Version: 5.12.1-1 > > Severity: important > > > Similar (but nowhere near as bad as) bug #805399, ActivityManager is > > logging files I access to the systemd journal & syslog. Some examples: > > > while hopefully the database itself is in my home director and > > mode go-rw, the same can't be said for syslog and journal. This violates > > user privacy on a multi-user system as the sysadmin is expected to read > > syslog, but respect the privacy of $HOME. In addition, syslog and > > journal are available to members of group adm, who may not have root. > > > From the journal, it appears that kactivymanagerd may be speweing this > > to stdout, which is ultimately being picked up by systemd (I think > > that's what _TRANSPORT of stdout means): > > Upstream already accepted a patch for this, so it would be solved in the next > release. This was fixed upstream in kactivitymanaged 5.13.0, so closing with the first version after it available in Debian (5.13.1-1). Thanks, -- Pino ToscanoAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---