Your message dated Thu, 09 Apr 2020 16:47:17 +0000
with message-id <e1jmakj-0007gb...@fasolo.debian.org>
and subject line Bug#948283: fixed in tinyproxy 1.10.0-2+deb10u1
has caused the Debian Bug report #948283,
regarding tinyproxy: If no PidFile is configured logrotate will change the
owner of the root directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
948283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tinyproxy
Version: 1.10.0-2
Severity: critical
Justification: breaks unrelated software
Dear Maintainer,
* What led up to the situation?
I configured tinyproxy without a PidFile.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I removed the PidFile configuration option from tinyproxy.conf
* What was the outcome of this action?
The next run of logrotate changed the owner and group of my root
directory (`/`) to tinyproxy:tinyproxy.
* What outcome did you expect instead?
I expected that not to happen.
Example demonstrating the issue in a fresh VM:
root@debian-2gb-fsn1-1:~# stat /
File: /
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2 Links: 18
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-12-08 05:11:02.514309382 +0100
Modify: 2020-01-06 01:51:41.524000000 +0100
Change: 2020-01-06 01:51:41.524000000 +0100
Birth: -
root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy
Selecting previously unselected package tinyproxy-bin.
(Reading database ... 35006 files and directories currently installed.)
Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ...
Unpacking tinyproxy-bin (1.10.0-2) ...
Selecting previously unselected package tinyproxy.
Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ...
Unpacking tinyproxy (1.10.0-2) ...
Setting up tinyproxy-bin (1.10.0-2) ...
Setting up tinyproxy (1.10.0-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service →
/lib/systemd/system/tinyproxy.service.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for systemd (241-7~deb10u2) ...
root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf
# PidFile: Write the PID of the main tinyproxy thread to this file so it
PidFile "/run/tinyproxy/tinyproxy.pid"
root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf
root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf
root@debian-2gb-fsn1-1:~# systemctl start logrotate
root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status
root@debian-2gb-fsn1-1:~# systemctl start logrotate
root@debian-2gb-fsn1-1:~# stat /
File: /
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2 Links: 18
Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy)
Access: 2019-12-08 05:11:02.514309382 +0100
Modify: 2020-01-06 01:51:41.524000000 +0100
Change: 2020-01-06 01:53:05.254019354 +0100
Birth: -
Note that tinyproxy does not start up with this configuration, because systemd
expects the PidFile to appear. For the machine where I noticed this issue I also
adjusted the systemd unit to be of `Type=simple`.
While this configuration might not be common and not encountered by the average
user it introduced a possible security hole in my system and even if this might
not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles:
Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path
transition / → /var during canonicalization of /var.
Thus I feel the severity of `critical` is justified for this bug report.
Best regards
Tim Düsterhus
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tinyproxy depends on:
ii adduser 3.118
ii logrotate 3.14.0-4
ii lsb-base 10.2019051400
ii tinyproxy-bin 1.10.0-2
tinyproxy recommends no packages.
tinyproxy suggests no packages.
-- Configuration Files:
/etc/tinyproxy/tinyproxy.conf changed:
User tinyproxy
Group tinyproxy
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: tinyproxy
Source-Version: 1.10.0-2+deb10u1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 948...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated tinyproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 31 Mar 2020 12:31:24 +0200
Source: tinyproxy
Binary: tinyproxy tinyproxy-bin tinyproxy-bin-dbgsym
Architecture: source amd64 all
Version: 1.10.0-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Description:
tinyproxy - Lightweight, non-caching, optionally anonymizing HTTP proxy
tinyproxy-bin - Lightweight, non-caching, optionally anonymizing HTTP proxy
(exec
Closes: 948283
Changes:
tinyproxy (1.10.0-2+deb10u1) buster; urgency=medium
.
* debian/tinyproxy.init:
+ Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
#948283).
Checksums-Sha1:
7d911e023d803981a472795507742f06872b1799 2264 tinyproxy_1.10.0-2+deb10u1.dsc
c69fccde7aabd89434f94789a156847edde9aa28 176060 tinyproxy_1.10.0.orig.tar.xz
15f7441ee6a8d6ec3232cf86ebe4611802b28a6a 163 tinyproxy_1.10.0.orig.tar.xz.asc
541bd0fee2df885f3f798794523cc1283c689c57 23972
tinyproxy_1.10.0-2+deb10u1.debian.tar.xz
4f63d525539b3e66d5e2661b02675f21d5332567 124472
tinyproxy-bin-dbgsym_1.10.0-2+deb10u1_amd64.deb
0aad24cd5e3293167bc8c266619633f44072c59e 46628
tinyproxy-bin_1.10.0-2+deb10u1_amd64.deb
9167de7b33fc3514e91d00060b6f674c00828de1 30472
tinyproxy_1.10.0-2+deb10u1_all.deb
665c4ebb243d9af19796366f928f0e849646772a 6866
tinyproxy_1.10.0-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
f67091d9bb27ba241c5cdc48754dc79b24612c429da84490e93545c3d9ee5bd1 2264
tinyproxy_1.10.0-2+deb10u1.dsc
59be87689c415ba0d9c9bc6babbdd3df3b372d60b21e526b118d722dbc995682 176060
tinyproxy_1.10.0.orig.tar.xz
f150b37b28ccbfb6cff2f2d06272b25c1917693fc9651f2a8d111921baaab5e7 163
tinyproxy_1.10.0.orig.tar.xz.asc
e2adb328bade569053b900c8e4f3a216146324ae828d2b9b8b05c47d7a1af18b 23972
tinyproxy_1.10.0-2+deb10u1.debian.tar.xz
d29f04ec27bab322d574f303883e9f9cdfcfcccf3753479e3bf2fd68b9f8c7f8 124472
tinyproxy-bin-dbgsym_1.10.0-2+deb10u1_amd64.deb
39d9a15d95a77beab2e9c4c88a499ef61e2f25241fdd280bc5f63c4aa295f89b 46628
tinyproxy-bin_1.10.0-2+deb10u1_amd64.deb
c29fb9dad1538293533453c699e4dd31d91bf0973522d351f7677c339c1fafa3 30472
tinyproxy_1.10.0-2+deb10u1_all.deb
dd8286de83de022c0f598fe7e5ed444a204f206b3583cbd21475490df87eba64 6866
tinyproxy_1.10.0-2+deb10u1_amd64.buildinfo
Files:
e3d9379e8900ef931a50d238b8634c08 2264 web optional
tinyproxy_1.10.0-2+deb10u1.dsc
3a1321e4942abb9b6cb370e7c2a3c59e 176060 web optional
tinyproxy_1.10.0.orig.tar.xz
5a87054b9664e488de033fac39c40ba8 163 web optional
tinyproxy_1.10.0.orig.tar.xz.asc
357e8bc11ce8c647da6a536e01ab5663 23972 web optional
tinyproxy_1.10.0-2+deb10u1.debian.tar.xz
b8e86fda98a52b6d29afd574cf6ded56 124472 debug optional
tinyproxy-bin-dbgsym_1.10.0-2+deb10u1_amd64.deb
c8e2db8bbf3877918316f567bf6d38f3 46628 web optional
tinyproxy-bin_1.10.0-2+deb10u1_amd64.deb
dee9bbb9e652e07d58fd26f9380a24ba 30472 web optional
tinyproxy_1.10.0-2+deb10u1_all.deb
90e5c3817d610a0d57ee3685555cd53d 6866 web optional
tinyproxy_1.10.0-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6DHb0ACgkQgj6WdgbD
S5bVLxAA3gbcrFhfBRzyKQTG7+mdhk1agEXQJaslgFlJr1tOaPNYje6iX3Pyez5T
TenwFJz9ZMssyGEV3TlX80J3sHGMQu90/icMLmA/kcNytgIJq5qjRY1BeZTOwAnw
LMZjP23BNEdoXstnBh1G+2GXZX9kXn5xO1soyPT2oeOJDBroJgicJWqnmjTdO5zK
mXhEu2T9VhoOHzqtess6gPY3hUo5tdCNOL7/9j+h91B/k2slAC/tz0/Nt8b3kvRE
+9Y17lorbhIqsOkK7pCf3c9/leWQmR5h63QNGavQhQsgIde1DqWlcrGU2gJalZwn
0JVF5PTsZnZwk3/v/kO+rvycFpM3LSMPmWFyXbHl7tO/rf9HenTOnUm4F/5XgoVN
ZT8tvD/N2yuFnB53CItSXzMUlf3fSUqop/ZUbY6EjvLZXBpJPL134m4c39XqM4Qv
tjjiRIEU558pBlui26pi1rSsEBbJ8YEoUGn3It7TbN3I95r5mP34Ot+JJs+89upm
dNk+2S+kYmv85BxgPrU7BIGc3erATVdgBpEYhj0fDSvZ4MTzo1vTS1dq54Rim1t1
fhOhCwUd+3ewh9a/FQVO0YslHSrOLagY5CvYl7flE5o+e9WD48XkFMY69jL4wjx5
C3YAgECJO4R+d8zBcQBwakuOXYUfCRIYfAJMaUlXbI2moqaAUXE=
=KDvw
-----END PGP SIGNATURE-----
--- End Message ---
