Your message dated Sat, 01 Jan 2011 23:32:41 +0000
with message-id <e1pzawd-0006vf...@franck.debian.org>
and subject line Bug#608491: fixed in syslog-ng 3.1.3-2
has caused the Debian Bug report #608491,
regarding syslog-ng: log file permissions dangerous on kfreebsd-i386
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
608491: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: syslog-ng
Version: 3.1.3-1
Severity: grave
Tags: security
Hello,
On kfreebsd-i386, installing the syslog-ng package with its default
configuration files, sets the permissions of system log files including
/var/log/messages, daemon.log, auth.log and perhaps others to
-rwsrwsrwt. This happens whether the files previously existed or not.
This makes these log files world-readable, despite the perm(0640)
setting in syslog-ng.conf. Non-privileged users can also truncate or
append to these files, but doing so seems to remove the setuid/setgid bits.
There may be a potential for root privilege escalation if a user can
cause syslog-ng to write executable commands to one of these log files.
The files are not normally executable (text file busy) whilst syslog-ng
has them open for writing, but upon the next run of logrotate, the file
permissions including setuid/setgid bits are preserved.
-- typescript
r...@kfreebsd-i386:/var/log# ls -al
total 4
drwxr-xr-x 2 root root 1024 Dec 31 12:00 .
drwxr-xr-x 13 root root 512 Dec 26 21:08 ..
r...@kfreebsd-i386:/var/log# apt-get --yes install syslog-ng
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
libdbd-mysql libdbd-pgsql libdbd-sqlite3
The following NEW packages will be installed:
syslog-ng
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/315 kB of archives.
After this operation, 629 kB of additional disk space will be used.
Selecting previously deselected package syslog-ng.
(Reading database ... 21539 files and directories currently installed.)
Unpacking syslog-ng (from .../syslog-ng_3.1.3-1_kfreebsd-i386.deb) ...
Processing triggers for man-db ...
Setting up syslog-ng (3.1.3-1) ...
Starting system logging: syslog-ng.
localepurge: Disk space freed in /usr/share/locale: 0 KiB
localepurge: Disk space freed in /usr/share/man: 0 KiB
Total disk space freed by localepurge: 0 KiB
r...@kfreebsd-i386:/var/log# ls -al
total 12
drwxr-xr-x 3 root root 512 Dec 31 12:00 .
drwxr-xr-x 13 root root 512 Dec 26 21:08 ..
drwxr-xr-x 2 root root 512 Dec 31 12:00 apt
-rw-r--r-- 1 root root 1197 Dec 31 12:00 dpkg.log
-rwsrwsrwt 1 root adm 206 Dec 31 12:00 messages
-rwsrwsrwt 1 root adm 206 Dec 31 12:00 syslog
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: kfreebsd-i386 (i686)
Kernel: kFreeBSD 8.1-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages syslog-ng depends on:
ii libc0.1 2.11.2-7 Embedded GNU C Library:
Shared lib
ii libdbi0 0.8.2-3 Database Independent
Abstraction L
ii libevtlog0 0.2.8~1-2 Syslog event logger library
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libnet1 1.1.4-2 library for the
construction and h
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular
Expressi
ii libssl0.9.8 0.9.8o-4 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP
wrappers libra
ii lsb-base 3.2-23.1 Linux Standard Base 3.2
init scrip
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages syslog-ng recommends:
ii logrotate 3.7.8-6 Log rotation utility
Versions of packages syslog-ng suggests:
pn libdbd-mysql <none> (no description available)
pn libdbd-pgsql <none> (no description available)
pn libdbd-sqlite3 <none> (no description available)
-- no debconf information
Thanks,
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
--- End Message ---
--- Begin Message ---
Source: syslog-ng
Source-Version: 3.1.3-2
We believe that the bug you reported is fixed in the latest version of
syslog-ng, which is due to be installed in the Debian FTP archive:
syslog-ng_3.1.3-2.debian.tar.gz
to main/s/syslog-ng/syslog-ng_3.1.3-2.debian.tar.gz
syslog-ng_3.1.3-2.dsc
to main/s/syslog-ng/syslog-ng_3.1.3-2.dsc
syslog-ng_3.1.3-2_amd64.deb
to main/s/syslog-ng/syslog-ng_3.1.3-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 608...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.hu> (supplier of updated syslog-ng
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 01 Jan 2011 21:46:47 +0100
Source: syslog-ng
Binary: syslog-ng
Architecture: source amd64
Version: 3.1.3-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.hu>
Description:
syslog-ng - Next generation logging daemon
Closes: 608491
Changes:
syslog-ng (3.1.3-2) unstable; urgency=high
.
* Security fix on kFreeBSD archs, don't set 7777 rigths on logfiles
(closes: #608491).
Checksums-Sha1:
06141cd34801b88449a09b4441fbb899aef2c83c 1274 syslog-ng_3.1.3-2.dsc
a01c2df06eb399f37701c85c316b1581d8fc821e 19147 syslog-ng_3.1.3-2.debian.tar.gz
459a4a4b6ea4ed791633ff48f67919f7b45f925f 344162 syslog-ng_3.1.3-2_amd64.deb
Checksums-Sha256:
404e5cb468deceb024c3a503aae227e6c6827659cc5f8ec9597606453594f75b 1274
syslog-ng_3.1.3-2.dsc
e3bb42de70c83a615cfad3dd5ae1e315a04f7542576976f7635f242d9d352ad9 19147
syslog-ng_3.1.3-2.debian.tar.gz
3199717c96afa501b042e5af0a7107f121fdce604945c7ae5906a18e34bc6a30 344162
syslog-ng_3.1.3-2_amd64.deb
Files:
f299b891cd0fdecc8f0e35a9e1dc27d3 1274 admin extra syslog-ng_3.1.3-2.dsc
a387a949e180c6289bda0bdcf31eac28 19147 admin extra
syslog-ng_3.1.3-2.debian.tar.gz
f6470c4b99275acf4e6e74c9ee94a768 344162 admin extra syslog-ng_3.1.3-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0ftTYACgkQMDatjqUaT90BjwCghTgjrcRk9e0QpLxc/ugHzg31
hkgAoKhlm20VaPd70XGCx/NWdwdPWMk+
=w0Q/
-----END PGP SIGNATURE-----
--- End Message ---
