Debian Bug report logs - #279965
logrotate cannot run postrotate script when /tmp is mounted noexec

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Adorjani Gabor <adi@adi.priv.hu>

To: submit@bugs.debian.org

Subject: logrotate cannot run postrotate script when /tmp is mounted noexec

Date: Sat, 6 Nov 2004 12:42:28 +0100

Package: logrotate
Version: 3.7-2
Severity: normal

I ran into a very enigmatic problem when tried to run logrotate on my
server: no matter what postrotate script I specified, the program gave
me an error. It was completely unusable, since it only said "error,
blablabla, cannot run postrotate script", but didn't gave me the
specific error code.

After some digging it turned out that logrotate tries to run scripts in
/tmp which is mounted with the noexec option on this system (and I think
all security-conscious admin would do this, too). However, I cannot
imagine why it does this, since the script in question resides in
/usr/local/sbin - ???

The workaround is of course to set up the TMPDIR environment variable to
a proper value, but it is not documented anywhere in logrotate's
manpage. It doesn't show up in /etc/cron.daily/logrotate , either.

This would be a minor problem, but it's quite irritating and the
solution is not so obvious, that's why I gave it a normal severity.

The system is a Debian Sarge (3.1), fresh install.

Keep up the good work guys! :)

Regards,

Gabor

Message #10 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Emil Soleyman-Zomalan <emil@nishra.com>

To: Debian Bug Tracking System <279965@bugs.debian.org>

Subject: PATCH: Allow logrotate when noexec is enabled on /tmp

Date: Sun, 09 Jan 2005 14:56:05 -0800

Package: logrotate
Version: 3.7-2
Followup-For: Bug #279965


I found a patch in Red Hat's Bugzilla that resolves this partciluar
problem. Please take a look at comment #9 (VÖRÖSBARANYI Zoltán) found
at:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126259

As a quick fix, concerned users will need to edit
/etc/cron.daily/logrotate and assign TMPDIR to a partition that is not
mounted noexec; e.g. TMPDIR=/var/tmp; export TMPDIR.

-- Package-specific info:
Contents of /etc/logrotate.d
total 44
-rw-r--r--  1 root root  477 2005-01-06 09:09 apache
-rw-r--r--  1 root root  366 2004-08-29 23:02 apache.dpkg-dist
-rw-r--r--  1 root root  384 2003-12-08 15:25 base-config
-rw-r--r--  1 root root  172 2005-01-06 09:11 cupsys
-rw-r--r--  1 root root  466 2004-07-08 16:42 nessusd
-rw-r--r--  1 root root  136 2002-12-03 08:46 postgresql
-rw-r--r--  1 root root  328 2002-09-16 18:34 samba
-rw-r--r--  1 root root   68 2002-05-02 08:21 scrollkeeper
-rw-r--r--  1 root root  108 2003-04-16 16:08 shorewall
-rw-r--r--  1 root root  228 2005-01-06 09:08 snort
-rw-r--r--  1 root root 1219 2004-03-13 15:28 syslog-ng


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (400, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-mh1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages logrotate depends on:
ii  base-passwd                 3.5.9        Debian base system master password
ii  cron                        3.0pl1-86    management of regular background p
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpopt0                    1.7-5        lib for parsing cmdline parameters

-- no debconf information

Message #15 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Philipp Hartmann <ph@sorgh.de>

To: Debian Bug Tracking System <279965@bugs.debian.org>

Subject: Patch: run postrotate script via /bin/sh again

Date: Tue, 24 May 2005 15:22:58 +0200

[Message part 1 (text/plain, inline)]

Package: logrotate
Version: 3.7-3
Tags: patch
Followup-For: Bug #279965

Hi,

I think, this bug is quite serious, since the behaviour of executing
postrotate scripts is different in Woody and Sarge.

Usually, there are no other major issues against mounting /tmp noexec,
except for dpkg, which can be circumvented by using APT and
Dpkg:Pre/Post-Invoke. There are many HowTo's on the net,
explaining how to do this.

Even the "Securing Debian"-HowTo mentions this issue.

I know, mounting /tmp noexec is not a major gain in security. But I
think, since there are many worms out there, simply relying on
executing their payload via files in /tmp, why should we make their
lifes too easy?

I don't see any rationale, why this behaviour was changed in the first
place. The scripts are trusted ones anyway...

IMHO, there are two ways, to cope with this issue:

1) apply the patch, attached to this message
   - it runs the scripts through an explicit shell

2) mention the changed behaviour at least in NEWS.Debian
   - This is necessary, because upgrading from Woody could
     break log rotation completely.

I won't raise the priority of this bug. But because of the upgrading
issue, I think, we should solve it in some way.

I prepared a package, including the attached patch. It works fine for
me. They can be found at

deb http://ele-et.de/debian/packages ./
deb-src http://ele-et.de/debian/packages ./

What do you think?

Regards, 
Philipp


-- Package-specific info:
Contents of /etc/logrotate.d
total 16
-rw-r--r--  1 root root 137 Sep 23  2003 acpid
-rw-r--r--  1 root root  79 Oct  3  2003 aptitude
-rw-r--r--  1 root root 384 Dec 23  2003 base-config
-rw-r--r--  1 root root  68 Dec  9  2003 scrollkeeper


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (990, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.11-5
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages logrotate depends on:
ii  anacron                     2.3-11       a cron-like program that doesn't g
ii  base-passwd                 3.5.9        Debian base system master password
ii  cron                        3.0pl1-87    management of regular background p
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpopt0                    1.7-5        lib for parsing cmdline parameters

-- no debconf information

[42-execlp-bin-sh.dpatch (application/x-shellscript, attachment)]

Message #22 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Paul Martin <pm@debian.org>

To: Philipp Hartmann <ph@sorgh.de>, 279965@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#279965: Patch: run postrotate script via /bin/sh again

Date: Tue, 24 May 2005 19:46:45 +0100

[Message part 1 (text/plain, inline)]

severity 279965 grave
thanks

On Tue, May 24, 2005 at 03:22:58PM +0200, Philipp Hartmann wrote:

> I think, this bug is quite serious, since the behaviour of executing
> postrotate scripts is different in Woody and Sarge.

> I don't see any rationale, why this behaviour was changed in the first
> place. The scripts are trusted ones anyway...

> IMHO, there are two ways, to cope with this issue:
> 
> 1) apply the patch, attached to this message
>    - it runs the scripts through an explicit shell

Upstream have a different patch (attached). I'm not too sure if I like 
it, as it relies on the size of the arguments you can pass to a shell.

Effectively it turns runScript() into:

static int runScript(char * logfn, char * script) {
    int rc;

    if (debug) {
        message(MESS_DEBUG, "running script with arg %s: \"%s\"\n", 
                logfn, script);
        return 0;
    }

    if (!fork()) {
       execl("/bin/sh", "sh", "-c", script, NULL);
       exit(1);
    }
 
    wait(&rc);
    return rc;
}

...which doesn't rely on writing to a file at all.

However, to not break #276172 again, it should be

       execl("/bin/sh", "sh", "-c", script, "sh", logfn, NULL);


> 2) mention the changed behaviour at least in NEWS.Debian
>    - This is necessary, because upgrading from Woody could
>      break log rotation completely.

I'm torn between the three possible ways out of this. Of the three 
options (your patch, upstream's patch, and documenting the behaviour), I 
tend to prefer the modified version of upstream's patch.

I agree that this bug is more serious than the original reporter 
thought, which is why I've changed it to "grave", because it potentially 
causes data loss when a user upgrades from woody.

(Note to Lars: please, please don't take this as a signal to do an 
instant NMU. This bug requires a bit of thought. I'm going to have to 
consult the release managers.)

-- 
Paul Martin <pm@debian.org>

[logrotate-3.7.1-noTMPDIR.patch (text/plain, attachment)]

Message #29 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Alex Owen <rao3@leicester.ac.uk>

To: 279965@bugs.debian.org

Subject: create tmp scripts in /var somewhere ?

Date: Tue, 24 May 2005 22:25:18 +0100 (BST)

Would a better solution (longterm) be to have a new config file option
 "scriptsdir" which is a dir where scripts are written. If this does not
exist use TMPDIR environment variable and if that does not exist /tmp.

Also would it not be posible to generate a better error message or test
that the mount point of the specified directory is not mounted noexec ?

The system logrotate config could then specify "scriptsdir" as
/var/spool/logrotate/ (not checked the FHS but somewhere like that?) and
the package could install that empty directory so that the root logrotate
jobs would work.

The README.NEWS (or whatever the documentaiton file is called) could then
suggest that users that get the improved error message place a
"scriptsdir" directive in their logrotate.conf files.

Just some random thougts really but perhaps some of them are useful!
Alex Owen

Message #38 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Alex Owen <rao3@leicester.ac.uk>

To: 279965@bugs.debian.org

Subject: reate tmp scripts in /var somewhere

Date: Wed, 25 May 2005 09:13:20 +0100 (BST)

Some further thoughts on my last post.

If logrotate was setGid to group "logrotate" and there is a directory
under /var that is group writeable by group "logrotate"...  that could be
the place to create any temporary scripts?

Alex Owen

Message #43 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Paul Martin <pm@debian.org>

To: Alex Owen <rao3@leicester.ac.uk>, 279965@bugs.debian.org

Subject: Re: Bug#279965: reate tmp scripts in /var somewhere

Date: Wed, 25 May 2005 09:47:59 +0100

On Wed, May 25, 2005 at 09:13:20AM +0100, Alex Owen wrote:
> Some further thoughts on my last post.
> 
> If logrotate was setGid to group "logrotate" and there is a directory
> under /var that is group writeable by group "logrotate"...  that could be
> the place to create any temporary scripts?

The upstream patch does away with this by passing the script as the 
argument to "/bin/sh -c".

My only problem with this is what would be the maximum size of script 
that you could pass in that way. For the sake of sarge, I've used
Philipp's patch (with a few minor modifications).

Once sarge is released, I'll probably try the upstream patch.

-- 
Paul Martin <pm@debian.org>

Message #48 received at 279965-close@bugs.debian.org (full text, mbox, reply):

From: Paul Martin <pm@debian.org>

To: 279965-close@bugs.debian.org

Subject: Bug#279965: fixed in logrotate 3.7-4

Date: Wed, 25 May 2005 04:47:39 -0400

Source: logrotate
Source-Version: 3.7-4

We believe that the bug you reported is fixed in the latest version of
logrotate, which is due to be installed in the Debian FTP archive:

logrotate_3.7-4.diff.gz
  to pool/main/l/logrotate/logrotate_3.7-4.diff.gz
logrotate_3.7-4.dsc
  to pool/main/l/logrotate/logrotate_3.7-4.dsc
logrotate_3.7-4_i386.deb
  to pool/main/l/logrotate/logrotate_3.7-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 279965@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Martin <pm@debian.org> (supplier of updated logrotate package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 May 2005 08:49:07 +0100
Source: logrotate
Binary: logrotate
Architecture: source i386
Version: 3.7-4
Distribution: unstable
Urgency: high
Maintainer: Paul Martin <pm@debian.org>
Changed-By: Paul Martin <pm@debian.org>
Description: 
 logrotate  - Log rotation utility
Closes: 279965 300644 310337
Changes: 
 logrotate (3.7-4) unstable; urgency=high
 .
   * 42-execlp-bin-sh: Call /bin/sh directly for scripts. Allows /tmp to
     be mounted noexec. This is a simple fix for sarge -- a potentially
     better fix is available upstream. Thanks to Philipp Hartmann.
     (Closes: #279965)
 .
   * Documentation fixes:
     + 52-man-overriden: Fix spelling of "overridden" in manpage.
       (Closes: #310337)
     + 52-man-mailtypo: Fixes formatting of the -mail option in manpage.
       (Closes: #300644)
Files: 
 bab5e8f88da60ad99725cbac7b0bba7c 574 admin important logrotate_3.7-4.dsc
 b5ebbac4d6a4907886b1d12d82fed18f 14995 admin important logrotate_3.7-4.diff.gz
 e59a2157e9f7ee5a29a53a51615e2345 32338 admin important logrotate_3.7-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFClDj4+gi+rt7UWRIRAs+SAJ90kBV16kE9G9MAb+yhsYHYXMrgOACfWrxV
X2qkCJ1ValQlhpsjfYcCOoU=
=3d/g
-----END PGP SIGNATURE-----

Message #53 received at 279965@bugs.debian.org (full text, mbox, reply):

From: Philipp Hartmann <ph@sorgh.de>

To: Paul Martin <pm@debian.org>

Cc: 279965@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#279965: Patch: run postrotate script via /bin/sh again

Date: Wed, 25 May 2005 11:36:34 +0200

[Message part 1 (text/plain, inline)]

reopen 279965
thanks

Hi all,

sorry, that I have to reopen the bug!

I introduced something like bug #276172 again in my previous patch.
Although I had fixed it in my local package, somehow I've sent the wrong
version of my patch. This is my fault, silly me!

The problem is the line

execlp("/bin/sh", filespec, logfn, NULL);

No, "/bin/sh" is called with the name of the script as process name
($0), but it tries to execute the logfile! This is CRITICAL! And will
fail in most cases ... :(

It has to be:
execlp("/bin/sh", filespec, filespec, logfn, NULL);

Then, the behaviour is as before: Process name is filespec, the shell
calls filespec and the argument is logfn. This patch is really working
for me. (The packages at http://ele-et.de/debian/packages already
included the fix). I really don't know, why I sent the wrong patch.

Attached is the corrected patch, including your modification concerning
the file permissions.

I hope, nobody runs into trouble with the last upload.

Apologies,
Philipp

[42-execlp-bin-sh.dpatch (application/x-shellscript, attachment)]

Message #60 received at 279965-close@bugs.debian.org (full text, mbox, reply):

From: Paul Martin <pm@debian.org>

To: 279965-close@bugs.debian.org

Subject: Bug#279965: fixed in logrotate 3.7-5

Date: Wed, 25 May 2005 06:02:12 -0400

Source: logrotate
Source-Version: 3.7-5

We believe that the bug you reported is fixed in the latest version of
logrotate, which is due to be installed in the Debian FTP archive:

logrotate_3.7-5.diff.gz
  to pool/main/l/logrotate/logrotate_3.7-5.diff.gz
logrotate_3.7-5.dsc
  to pool/main/l/logrotate/logrotate_3.7-5.dsc
logrotate_3.7-5_i386.deb
  to pool/main/l/logrotate/logrotate_3.7-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 279965@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Martin <pm@debian.org> (supplier of updated logrotate package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 May 2005 10:43:42 +0100
Source: logrotate
Binary: logrotate
Architecture: source i386
Version: 3.7-5
Distribution: unstable
Urgency: high
Maintainer: Paul Martin <pm@debian.org>
Changed-By: Paul Martin <pm@debian.org>
Description: 
 logrotate  - Log rotation utility
Closes: 279965
Changes: 
 logrotate (3.7-5) unstable; urgency=high
 .
   Brown paper bag upload.
 .
   * 42-execlp-bin-sh: Fix major flaw in the last patch... it tries to
     execute the logfile. Thanks very much for the quick report, Philipp.
     It was my fault, not yours. (Closes: #279965)
Files: 
 b351955f3aafd7a41af6f254e0a2f7b5 574 admin important logrotate_3.7-5.dsc
 291d015a7fddd86ee2da4cb7bbb12b19 15081 admin important logrotate_3.7-5.diff.gz
 5601ce421259be28a2d6dfc3356411b4 32424 admin important logrotate_3.7-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFClEpQ+gi+rt7UWRIRAk4hAJ9B4Bb+2b9YSmUp6TCaGWMdcAUf0ACcDtTQ
PDinKuCAK1l8OYxu6zVw9r0=
=O2Q1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.