Debian Bug report logs - #537907
lynx: all requested URLs are logged to syslog

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: John Houck <houck@space.mit.edu>

Date: Tue, 21 Jul 2009 17:09:04 UTC

Severity: normal

Tags: fixed-upstream

Found in version lynx-cur/2.8.7dev9-2.1

Fixed in version lynx-cur/2.8.8dev.1-1

Done: Atsuhito KOHDA <kohda@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#537907; Package lynx. (Tue, 21 Jul 2009 17:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Houck <houck@space.mit.edu>:
New Bug report received and forwarded. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Tue, 21 Jul 2009 17:09:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Houck <houck@space.mit.edu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lynx: all requested URLs are logged to syslog
Date: Tue, 21 Jul 2009 13:02:56 -0400
Package: lynx
Version: 2.8.7dev9-2.1
Severity: normal


By default, lynx logs all requested URLs to syslog.
For example, if I visit the package web page like so:

  > lynx http://packages.debian.org/stable/web/lynx
  
and then exit, then syslog gets the following entry:

Jul 21 12:34:17 vex lynx[22057]: Session start
Jul 21 12:34:17 vex lynx[22057]: http://packages.debian.org/stable/web/lynx
Jul 21 12:34:26 vex lynx[22057]: Session over

I realize that I can turn off these log entries by adding this:

  SYSLOG_REQUESTED_URLS:FALSE

to my lynxrc, but that should not be necessary.  Users who
don't monitor syslog have no idea this is happening, and would
never think to search for this solution.

The above config entry is also present in the system lynx
config file
   /etc/lynx-cur/lynx.cfg
but strace shows that that file is not opened when lynx starts.


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lynx depends on:
ii  lynx-cur                   2.8.7dev9-2.1 Text-mode WWW Browser with NLS sup

lynx recommends no packages.

lynx suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#537907; Package lynx. (Thu, 23 Jul 2009 02:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Atsuhito Kohda <kohda@pm.tokushima-u.ac.jp>:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Thu, 23 Jul 2009 02:06:03 GMT) Full text and rfc822 format available.

Message #10 received at 537907@bugs.debian.org (full text, mbox):

From: Atsuhito Kohda <kohda@pm.tokushima-u.ac.jp>
To: houck@space.mit.edu, 537907@bugs.debian.org
Subject: Re: Bug#537907: lynx: all requested URLs are logged to syslog
Date: Thu, 23 Jul 2009 11:05:06 +0900 (JST)
Hi John,

On Tue, 21 Jul 2009 13:02:56 -0400, John Houck wrote:

> By default, lynx logs all requested URLs to syslog.

I believe this was fixed in a very old version.

lynx-cur (2.8.6-9) unstable; urgency=low

  * This is of 2.8.6dev.11
  * syslog'ing of URLs didn't seem to be an appropriate default setting and
    it could be enabled with a setting in lynx.cfg or a command line option
    if lynx was compiled with --enable-syslog.  So I decided to compile lynx 
    with --enable-syslog but to set "SYSLOG_REQUESTED_URLS:FALSE" in lynx.cfg
    You can enable it with a command line option "syslog-urls=on" or with
    editting lynx.cfg appropriately.  (Closes: #288480)

 -- Atsuhito KOHDA <kohda@debian.org>  Thu,  6 Jan 2005 11:10:15 +0900

> I realize that I can turn off these log entries by adding this:
> 
>   SYSLOG_REQUESTED_URLS:FALSE

> The above config entry is also present in the system lynx
> config file
>    /etc/lynx-cur/lynx.cfg
> but strace shows that that file is not opened when lynx starts.

I hear this for the first time.  On my system, "lynx -trace"
outputs Lynx.trace and it shows me;

LYNX_SIG_FILE set to '/home/kohda/.lynxsig'
HTMLDTD: Copying strict DTD element info of size 6664, 119 * 56
Loading cfg file '/etc/lynx-cur/lynx.cfg'.
opening config file /etc/lynx-cur/lynx.cfg
UCGetLYhndl_byAnyName(iso-8859-1)

and so I'm pretty sure that lynx opend /etc/lynx-cur/lynx.cfg

I have no clue at present but don't you set any private
settings or environment variables etc. for lynx?

Regards,    			  2009-7-23(Thu)

-- 
 Debian Developer - much more I18N of Debian
 Atsuhito Kohda <kohda AT debian.org>
 Department of Math., Univ. of Tokushima




Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#537907; Package lynx. (Thu, 23 Jul 2009 02:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to houck@space.mit.edu:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Thu, 23 Jul 2009 02:36:02 GMT) Full text and rfc822 format available.

Message #15 received at 537907@bugs.debian.org (full text, mbox):

From: John Houck <houck@space.mit.edu>
To: Atsuhito Kohda <kohda@pm.tokushima-u.ac.jp>
Cc: 537907@bugs.debian.org
Subject: Re: Bug#537907: lynx: all requested URLs are logged to syslog
Date: Wed, 22 Jul 2009 22:29:16 -0400
On Thu, Jul 23, 2009 at 11:05 +0900, Atsuhito Kohda wrote:
> Hi John,
> 
> On Tue, 21 Jul 2009 13:02:56 -0400, John Houck wrote:
> 
> > By default, lynx logs all requested URLs to syslog.
> 
> I believe this was fixed in a very old version.

Hi,

I'm using the version of lynx from lenny:

  Lynx Version 2.8.7dev.9 (27 Apr 2008)
  libwww-FM 2.14, SSL-MM 1.4.1, ncurses 5.7.20081213(wide)
  Built on linux-gnu Oct 13 2008 22:25:45

[...]
> I hear this for the first time.  On my system, "lynx -trace"
> outputs Lynx.trace and it shows me;
> 
> LYNX_SIG_FILE set to '/home/kohda/.lynxsig'
> HTMLDTD: Copying strict DTD element info of size 6664, 119 * 56
> Loading cfg file '/etc/lynx-cur/lynx.cfg'.
> opening config file /etc/lynx-cur/lynx.cfg
> UCGetLYhndl_byAnyName(iso-8859-1)
> 
> and so I'm pretty sure that lynx opend /etc/lynx-cur/lynx.cfg
> 
> I have no clue at present but don't you set any private
> settings or environment variables etc. for lynx?

I have set LYNX_CFG=$HOME/.lynxrc
I've been using that environment variable setting
for several years.

Running "lynx -trace", and looking in $HOME/Lynx.trace
I see:

LYNX_SIG_FILE set to '/nfs/cxc/h1/houck/.lynxsig'
HTMLDTD: Copying strict DTD element info of size 7616, 119 * 64
Loading cfg file '/nfs/cxc/h1/houck/.lynxrc'.
opening config file /nfs/cxc/h1/houck/.lynxrc
UCGetLYhndl_byAnyName(ISO Latin 1)

Presumably the system lynx.cfg file is ignored when
LYNX_CFG is set.  strace confirms this.

Thanks,
-John




Message sent on to John Houck <houck@space.mit.edu>:
Bug#537907. (Tue, 04 Aug 2009 09:45:05 GMT) Full text and rfc822 format available.

Message #18 received at 537907-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 537907-submitter@bugs.debian.org
Subject: re: #537907 - lynx: all requested URLs are logged to syslog
Date: Tue, 04 Aug 2009 05:41:12 -0400
[Message part 1 (text/plain, inline)]
That's documented in the manpage:

       LYNX_CFG            This  variable,  if  set, will override the default
                           location and name of the global configuration  file
                           (normally,   lynx.cfg)  that  was  defined  by  the
                           LYNX_CFG_FILE  constant  in  the  userdefs.h  file,
                           during  installation.   See the userdefs.h file for
                           more information.

By the way, $HOME/.lynxrc is normally used to save options from the options
menu, has a different format from lynx.cfg (mixing the two is not necessarily
going to work).

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#537907; Package lynx. (Tue, 04 Aug 2009 13:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to houck@space.mit.edu:
Extra info received and filed, but not forwarded. (Tue, 04 Aug 2009 13:15:04 GMT) Full text and rfc822 format available.

Message #23 received at 537907-quiet@bugs.debian.org (full text, mbox):

From: John Houck <houck@space.mit.edu>
To: dickey@his.com, 537907-quiet@bugs.debian.org
Subject: Re: Bug#537907: #537907 - lynx: all requested URLs are logged to syslog
Date: Tue, 4 Aug 2009 09:14:18 -0400
[Message part 1 (text/plain, inline)]
On Tue, Aug 04, 2009 at 05:41 -0400, Thomas Dickey wrote:
> That's documented in the manpage:
>
>        LYNX_CFG            This  variable,  if  set, will override the default
>                            location and name of the global configuration  file
>                            (normally,   lynx.cfg)  that  was  defined  by  the
>                            LYNX_CFG_FILE  constant  in  the  userdefs.h  file,
>                            during  installation.   See the userdefs.h file for
>                            more information.
>
> By the way, $HOME/.lynxrc is normally used to save options from the options
> menu, has a different format from lynx.cfg (mixing the two is not necessarily
> going to work).

My main concern is that my browsing history was being logged,
without my knowledge, to a file that I do not own (plus the
annoyance of littering syslog with that stuff).

I understand that this happened because I, the user, made a
mistake.  I also realize that my browsing activity can always
be logged by a sysadmin who manages a firewall or whatever, but
that's beyond my control.

On the other hand, having the browser itself log my activity to
a file that is owned by somebody else seems like a severe
violation of privacy.

Presumably the syslog feature is there for a reason (although
at the moment I can't imagine what for).

When the syslog feature is activated, is it reasonable to have
lynx print some kind of warning about it at startup?

Thanks,
-John
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#537907; Package lynx. (Tue, 25 Aug 2009 23:03:23 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and filed, but not forwarded. (Tue, 25 Aug 2009 23:03:23 GMT) Full text and rfc822 format available.

Message #28 received at 537907-quiet@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: John Houck <houck@space.mit.edu>
Cc: dickey@his.com, 537907-quiet@bugs.debian.org
Subject: Re: Bug#537907: #537907 - lynx: all requested URLs are logged to syslog
Date: Tue, 25 Aug 2009 18:59:41 -0400
[Message part 1 (text/plain, inline)]
On Tue, Aug 04, 2009 at 09:14:18AM -0400, John Houck wrote:
> On Tue, Aug 04, 2009 at 05:41 -0400, Thomas Dickey wrote:
> > That's documented in the manpage:
> >
> >        LYNX_CFG            This  variable,  if  set, will override the default
> >                            location and name of the global configuration  file
> >                            (normally,   lynx.cfg)  that  was  defined  by  the
> >                            LYNX_CFG_FILE  constant  in  the  userdefs.h  file,
> >                            during  installation.   See the userdefs.h file for
> >                            more information.
> >
> > By the way, $HOME/.lynxrc is normally used to save options from the options
> > menu, has a different format from lynx.cfg (mixing the two is not necessarily
> > going to work).
> 
> My main concern is that my browsing history was being logged,
> without my knowledge, to a file that I do not own (plus the
> annoyance of littering syslog with that stuff).
> 
> I understand that this happened because I, the user, made a
> mistake.  I also realize that my browsing activity can always
> be logged by a sysadmin who manages a firewall or whatever, but
> that's beyond my control.
> 
> On the other hand, having the browser itself log my activity to
> a file that is owned by somebody else seems like a severe
> violation of privacy.
> 
> Presumably the syslog feature is there for a reason (although
> at the moment I can't imagine what for).
> 
> When the syslog feature is activated, is it reasonable to have
> lynx print some kind of warning about it at startup?

perhaps not - it's not an error-condition (such as failing to open a page),
but more like the trace feature.  Changing the default of the setting might
be more effective.

(mail routing also tends to go to the same logfile - the same complaint would
apply to that, I suppose).

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#537907; Package lynx. (Sat, 29 Aug 2009 15:36:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Sat, 29 Aug 2009 15:36:09 GMT) Full text and rfc822 format available.

Message #33 received at 537907@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 537907@bugs.debian.org
Cc: 537907-submitter@bugs.debian.org
Subject: re: #537907 lynx: all requested URLs are logged to syslog
Date: Sat, 29 Aug 2009 11:28:53 -0400
[Message part 1 (text/plain, inline)]
fixed in 2.8.8dev.1

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Sat, 29 Aug 2009 15:36:13 GMT) Full text and rfc822 format available.

Message sent on to John Houck <houck@space.mit.edu>:
Bug#537907. (Sat, 29 Aug 2009 15:36:23 GMT) Full text and rfc822 format available.

Reply sent to Atsuhito KOHDA <kohda@debian.org>:
You have taken responsibility. (Tue, 01 Sep 2009 01:00:14 GMT) Full text and rfc822 format available.

Notification sent to John Houck <houck@space.mit.edu>:
Bug acknowledged by developer. (Tue, 01 Sep 2009 01:00:19 GMT) Full text and rfc822 format available.

Message #43 received at 537907-close@bugs.debian.org (full text, mbox):

From: Atsuhito KOHDA <kohda@debian.org>
To: 537907-close@bugs.debian.org
Subject: Bug#537907: fixed in lynx-cur 2.8.8dev.1-1
Date: Tue, 01 Sep 2009 00:37:41 +0000
Source: lynx-cur
Source-Version: 2.8.8dev.1-1

We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive:

lynx-cur-wrapper_2.8.8dev.1-1_all.deb
  to pool/main/l/lynx-cur/lynx-cur-wrapper_2.8.8dev.1-1_all.deb
lynx-cur_2.8.8dev.1-1.diff.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1.diff.gz
lynx-cur_2.8.8dev.1-1.dsc
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1.dsc
lynx-cur_2.8.8dev.1-1_i386.deb
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1_i386.deb
lynx-cur_2.8.8dev.1.orig.tar.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1.orig.tar.gz
lynx_2.8.8dev.1-1_all.deb
  to pool/main/l/lynx-cur/lynx_2.8.8dev.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated lynx-cur package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 31 Aug 2009 20:04:44 +0900
Source: lynx-cur
Binary: lynx-cur lynx-cur-wrapper lynx
Architecture: source all i386
Version: 2.8.8dev.1-1
Distribution: unstable
Urgency: low
Maintainer: Atsuhito KOHDA <kohda@debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description: 
 lynx       - Text-mode WWW Browser (transitional package)
 lynx-cur   - Text-mode WWW Browser with NLS support (development version)
 lynx-cur-wrapper - Wrapper for lynx-cur
Closes: 231609 352596 408835 537907
Changes: 
 lynx-cur (2.8.8dev.1-1) unstable; urgency=low
 .
   * New Upstream Release.
    - add optional support for IDNA using GNU libidn (Closes: #352596)
    - ignore LEFT-TO-RIGHT-MARK (U+200E) in HTML files (Closes: #408835)
    - correct check for return-value from gnutls_certificate_verify_peers2(),
      which caused some sites to be treated as if they were version-1 X.509 CAs
      (Closes: #231609)
    - change compiled-in default for SYSLOG_REQUESTED_URLS to false.
      (Closes: #537907)
Checksums-Sha1: 
 976ab53e6cee817d4b74c6521bbcc9979768ef58 1171 lynx-cur_2.8.8dev.1-1.dsc
 fcc840c3726e36fcdeb6f08421b0eea10890216c 3426006 lynx-cur_2.8.8dev.1.orig.tar.gz
 923b24501030f059b72207a0eba6fd0d969582b4 30787 lynx-cur_2.8.8dev.1-1.diff.gz
 f8e74b989e2e3b6f5bc81f728aa64baedcdfef0a 17860 lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 5674dcf343fe289d112e8a25ddb13a320eefcbe8 15312 lynx_2.8.8dev.1-1_all.deb
 9f35702f42bbde62689955e519aa21b0350e9f99 2100576 lynx-cur_2.8.8dev.1-1_i386.deb
Checksums-Sha256: 
 b47ba19c513ca2ec94f6ad37b075b367c86029c38613c58b337bf765d48f1da7 1171 lynx-cur_2.8.8dev.1-1.dsc
 3a18454842321e6fbda3599f4de1b8d8179932fe9183cf9d1f886aa772d876d4 3426006 lynx-cur_2.8.8dev.1.orig.tar.gz
 b66bc8bbc7c4395c7e2d57ea37138c6c0d6e07c4edee64935681b0e8d8f42319 30787 lynx-cur_2.8.8dev.1-1.diff.gz
 5abb3400f3f5bf813a575ed1c64d0bc7174dd79c0b581bfaba527cdd007ff360 17860 lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 16d77c67a895bf5ef7c411db948cf8071f9008c234b775d297dc00b9e2437a62 15312 lynx_2.8.8dev.1-1_all.deb
 9956ce16b470d8186c44450a7329602d5f70aa26b82a7b1d5c31e0d116a11223 2100576 lynx-cur_2.8.8dev.1-1_i386.deb
Files: 
 9eea557e8110e0789baf001fb8a4aab3 1171 web extra lynx-cur_2.8.8dev.1-1.dsc
 0b3551feefb96a36d2fee5a11a683a76 3426006 web extra lynx-cur_2.8.8dev.1.orig.tar.gz
 03308bef1433d389c10ea2813483d6b0 30787 web extra lynx-cur_2.8.8dev.1-1.diff.gz
 02829975fc2dfcbf6e6d2509d0477c81 17860 web extra lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 ecbc0c55dee671ecfaf4892750d18c02 15312 web extra lynx_2.8.8dev.1-1_all.deb
 c97af50ece66f8f08a03b8002082a010 2100576 web extra lynx-cur_2.8.8dev.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqbyB4ACgkQ1IXdL1v6kOwHJACfcxiV62C+MwWGfQ5hqB4kirbR
kDAAnjKQscfB2tvMce+HgTyIraBeKQoL
=b97y
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 29 Sep 2009 07:29:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:28:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.