Logcheck devel - Apr 2005 - Bug#304978: Failed to get lockfile: /var/lock/logcheck.lock

Package: logcheck   
Version: 1.2.37 



Everytime(!) i upgrade debian logcheck i run into the error
that logcheck is trying to generate its lockfile at a
forbidden location.
The error message/mail is a bit missleading too.

When will that error be fixed? (I think i reported it already several
weeks a ago).

As logcheck never runs as "root", that error must
occur on every sane setup system, or?

Why do i not find any reports?

Is it a so common (dangerous) practise to allow every body to
litter "/var/lock" with its private lockfiles? Allowing everybody
to place a link to an unwanted file with the name of
a root lock file? So when root changes the (old) lock, it
changes the "unwanted" file too etc... or it's easy to block root
by placing a lock file with the same name root would test when
everybody can write to "/var/lock".




Decription:

After update logcheck i always get this error mail:

------------------------------------------------------------

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
Failed to get lockfile: /var/lock/logcheck.lock

Check temporary directory:

declare -x HOME="/var/lib/logcheck"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/var/lib/logcheck"
declare -x SHELL="/bin/sh"
declare -x SHLVL="2"

-----------------------------------------------------------------------


Solution:

you must edit the script(!) as logcheck has as security flaw
and tries to place it's lock file under /var/lock/ which is
-of course- only allowed for root!

You must create a directory "logcheck" under /var/lock/

mkdir /var/lock/logcheck
chown logcheck:logcheck /var/lock/logcheck
chmod 755 /var/lock/logcheck

# ll /var/lock/logcheck/
total 8
drwxr-xr-x  2 logcheck logcheck 4096 Apr 16 16:02 .
drwxr-xr-x  5 root     root     4096 Apr 16 06:37 ..


And edit the script(!) like this:


[23:29:49]yoda:/etc/logcheck# diff -Nau /usr/sbin/logcheck
/usr/sbin/logcheck.ori
--- /usr/sbin/logcheck  2005-04-16 23:29:36.000000000 +0200
+++ /usr/sbin/logcheck.ori      2005-04-03 01:00:14.000000000 +0200
@@ -81,7 +81,7 @@
 SORTUNIQ=0
 SUPPORT_CRACKING_IGNORE=0
 SYSLOGSUMMARY=0
-LOCKFILE="/var/lock/logcheck/logcheck"
+LOCKFILE="/var/lock/logcheck"

 # Carry out the clean up tasks
 cleanup() {

--------------------------------------------------------------


Maybe it would ease use a lot if "LOCKFILE" is 
set in /etc/logcheck/logcheck.conf too?






HTH

On Sun, 17 Apr 2005, Rainer Zocholl wrote:
> Everytime(!) i upgrade debian logcheck i run into the error
> that logcheck is trying to generate its lockfile at a
> forbidden location.
> The error message/mail is a bit missleading too.
on debian systems by default belows dir is writable for world:
ls -ld /var/lock
drwxrwxrwt  4 root root 4096 2005-04-18 09:02 /var/lock
 
> When will that error be fixed? (I think i reported it already several
> weeks a ago).
care to add a pointer to that report?
well your system seems broken, you can fix its permissions easily.
 
[further rant snipped] 
> Is it a so common (dangerous) practise to allow every body to
> litter "/var/lock" with its private lockfiles? Allowing everybody
> to place a link to an unwanted file with the name of
> a root lock file? So when root changes the (old) lock, it
> changes the "unwanted" file too etc... or it's easy to block
root
> by placing a lock file with the same name root would test when
> everybody can write to "/var/lock".
well it's a bit hard to follow aboves flow. i try to summarize
* if /var/lock is not world writable, one should have a dir below
  for one owns needs.
* if /var/lock is world writable, one could block logcheck runs.

 
> Decription:
> 
> After update logcheck i always get this error mail:
> 
> ------------------------------------------------------------
> 
> Warning: If you are seeing this message, your log files may not have been
> checked!
> 
> Details:
> Failed to get lockfile: /var/lock/logcheck.lock
> 
> Check temporary directory:
> 
> declare -x HOME="/var/lib/logcheck"
> declare -x LOGNAME="logcheck"
> declare -x MAILTO="root"
> declare -x OLDPWD
> declare -x
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
> declare -x PWD="/var/lib/logcheck"
> declare -x SHELL="/bin/sh"
> declare -x SHLVL="2"
> 
> -----------------------------------------------------------------------
that mail is pretty clear.
why is it misleading?
 
> Solution:
> 
> you must edit the script(!) as logcheck has as security flaw
> and tries to place it's lock file under /var/lock/ which is
> -of course- only allowed for root!
wrong assumption for any sarge default install.
 
> You must create a directory "logcheck" under /var/lock/
> 
> mkdir /var/lock/logcheck
> chown logcheck:logcheck /var/lock/logcheck
> chmod 755 /var/lock/logcheck
todd what do you think about that dir?
sounds ok for me,
but i don't get why you paranoid guy show your logcheck run
to world, why not use 750 above??
 
> And edit the script(!) like this:
> 
> 
> [23:29:49]yoda:/etc/logcheck# diff -Nau /usr/sbin/logcheck
/usr/sbin/logcheck.ori
> --- /usr/sbin/logcheck  2005-04-16 23:29:36.000000000 +0200
> +++ /usr/sbin/logcheck.ori      2005-04-03 01:00:14.000000000 +0200
> @@ -81,7 +81,7 @@
>  SORTUNIQ=0
>  SUPPORT_CRACKING_IGNORE=0
>  SYSLOGSUMMARY=0
> -LOCKFILE="/var/lock/logcheck/logcheck"
> +LOCKFILE="/var/lock/logcheck"
> 
>  # Carry out the clean up tasks
>  cleanup() {
hehe, you diffed in the wrong order.
but anyway that part is clear.
 
> --------------------------------------------------------------
> 
> 
> Maybe it would ease use a lot if "LOCKFILE" is 
> set in /etc/logcheck/logcheck.conf too?
no,
that file is already long enough,
we don't want stupid config options for the user.
that should just work on runtime.

--
maks

ps i don't get your nospam stuff,
perhaps you'll read your bug report.

Your message dated Tue, 19 Apr 2005 00:02:12 -0400
with message-id <E1DNjwC-0002G1-00 at newraff.debian.org>
and subject line Bug#304978: fixed in logcheck 1.2.38
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Apr 2005 22:05:01
+0000
>From UseNet-Posting-Nospam-74308- at zocki.toppoint.de Sat Apr 16 15:05:01
2005
Return-path: <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
Received: from archer.toppoint.de (mail.toppoint.de) [195.244.243.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DMvPQ-0006Ev-00; Sat, 16 Apr 2005 15:05:01 -0700
Received: (from uucp at localhost)
	by mail.toppoint.de (8.11.7p1+Sun/8.11.7) id j3GM4w301033
	for submit at bugs.debian.org; Sun, 17 Apr 2005 00:04:58 +0200
(MEST)
>Received: by zocki.toppoint.de (CrossPoint/FreeXP v3.40 RC3 (EMS) @
3108030130 R/C6515);
	17 Apr 2005 00:03:55 +0200
Date: 17 Apr 2005 00:03:00 +0200
From: Rainer Zocholl <UseNet-Posting-Nospam-74308- at zocki.toppoint.de>
To: <submit at bugs.debian.org>
Message-ID: <9V3Nq436gjB at zocki.toppoint.de>
Subject: Failed to get lockfile: /var/lock/logcheck.lock
X-Mailer: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: http://www.toppoint.de
X-ZC-Telefon: V+49-431-5606-550Q V+49-431-562136Q
X-XP-Version: CrossPoint/FreeXP v3.40 RC3 (EMS) @ 3108030130 R/C6515
X-RFC-Converter: E-UUZ/II [FreeXP v3.40.1a RC3] @ 200405292345
Received: from zocki.toppoint.de by archer.toppoint.de; Sun, 17 Apr 2005 00:04
MES
Content-Type: text/plain; charset=US-ASCII
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	MSGID_FROM_MTA_HEADER autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck   
Version: 1.2.37 



Everytime(!) i upgrade debian logcheck i run into the error
that logcheck is trying to generate its lockfile at a
forbidden location.
The error message/mail is a bit missleading too.

When will that error be fixed? (I think i reported it already several
weeks a ago).

As logcheck never runs as "root", that error must
occur on every sane setup system, or?

Why do i not find any reports?

Is it a so common (dangerous) practise to allow every body to
litter "/var/lock" with its private lockfiles? Allowing everybody
to place a link to an unwanted file with the name of
a root lock file? So when root changes the (old) lock, it
changes the "unwanted" file too etc... or it's easy to block root
by placing a lock file with the same name root would test when
everybody can write to "/var/lock".




Decription:

After update logcheck i always get this error mail:

------------------------------------------------------------

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
Failed to get lockfile: /var/lock/logcheck.lock

Check temporary directory:

declare -x HOME="/var/lib/logcheck"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/var/lib/logcheck"
declare -x SHELL="/bin/sh"
declare -x SHLVL="2"

-----------------------------------------------------------------------


Solution:

you must edit the script(!) as logcheck has as security flaw
and tries to place it's lock file under /var/lock/ which is
-of course- only allowed for root!

You must create a directory "logcheck" under /var/lock/

mkdir /var/lock/logcheck
chown logcheck:logcheck /var/lock/logcheck
chmod 755 /var/lock/logcheck

# ll /var/lock/logcheck/
total 8
drwxr-xr-x  2 logcheck logcheck 4096 Apr 16 16:02 .
drwxr-xr-x  5 root     root     4096 Apr 16 06:37 ..


And edit the script(!) like this:


[23:29:49]yoda:/etc/logcheck# diff -Nau /usr/sbin/logcheck
/usr/sbin/logcheck.ori
--- /usr/sbin/logcheck  2005-04-16 23:29:36.000000000 +0200
+++ /usr/sbin/logcheck.ori      2005-04-03 01:00:14.000000000 +0200
@@ -81,7 +81,7 @@
 SORTUNIQ=0
 SUPPORT_CRACKING_IGNORE=0
 SYSLOGSUMMARY=0
-LOCKFILE="/var/lock/logcheck/logcheck"
+LOCKFILE="/var/lock/logcheck"

 # Carry out the clean up tasks
 cleanup() {

--------------------------------------------------------------


Maybe it would ease use a lot if "LOCKFILE" is 
set in /etc/logcheck/logcheck.conf too?






HTH


---------------------------------------
Received: (at 304978-close) by bugs.debian.org; 19 Apr 2005 04:09:42
+0000
>From katie at ftp-master.debian.org Mon Apr 18 21:09:42 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DNk3R-0004vh-00; Mon, 18 Apr 2005 21:09:42 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DNjwC-0002G1-00; Tue, 19 Apr 2005 00:02:12 -0400
From: Todd Troxell <ttroxell at debian.org>
To: 304978-close at bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#304978: fixed in logcheck 1.2.38
Message-Id: <E1DNjwC-0002G1-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Tue, 19 Apr 2005 00:02:12 -0400
Delivered-To: 304978-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: logcheck
Source-Version: 1.2.38

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.38_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.38_all.deb
logcheck_1.2.38.dsc
  to pool/main/l/logcheck/logcheck_1.2.38.dsc
logcheck_1.2.38.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.38.tar.gz
logcheck_1.2.38_all.deb
  to pool/main/l/logcheck/logcheck_1.2.38_all.deb
logtail_1.2.38_all.deb
  to pool/main/l/logcheck/logtail_1.2.38_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 304978 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Monday, 18 Apr 2005 23:45:00 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.38
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 30088 295352 297995 302678 303176 304978
Changes: 
 logcheck (1.2.38) unstable; urgency=low
 .
   maks:
   * Generalise postfix rule concerning network_biopair_interop.
   * Add rule for ntp message about valid/infalid peers. (Closes #303661)
   * Improve rules .PHONY target + add checkpo rule for the translation check.
   * Add help target to debian/rules documenting the syntax.
   jamie:
   * Add rule in violations.ignore.d/logcheck-postfix for postgrey
     (Closes: #30088)
   * Modify bind notify rule for bind 9.3.x (Closes: #303176)
   * Add various workstation kernel/udev rules for removable devices
     (Closes: #297995)
   * Modify rsync rule to match module names with '.', '-' and
'_'.
     Thanks to SATOH Fumiyasu <fumiya at samba.gr.jp> for the patch
     (Closes: #295352)
   * Add nagios rule for UNKNOWN state service notification.
   * Modify postfix anvil rule for 'max connection' statistics
     messages to match smtps connections too.
   * Add new rules for policyd, a postfix policy daemon.
   * Add more postfix rules for certificate verification failure
     messages.
   * Add new rules for postfix scache (connection cache server).
   * Add rule for bind 9.3 'unexpected RCODE' messages.
   * Modify dnsmasq rule to match '/var/run/dnsmasq/resolv.conf'
     too. (Closes: #302678)
   todd:
   * Change lockfile location from /var/lock/logcheck to
     /var/lock/logcheck/logcheck (Thanks Rainer Zocholl) to avoid
     potential DoS condition. (Closes: #304978)
   * Make lockfile debug messages refer to the correct files.
   * Add note about dh_installlogcheck permissions. (See #302379)
Files: 
 a040986cd3efb1bc4b4b273ed4a0e635 703 admin optional logcheck_1.2.38.dsc
 d82a1faa4198dfa7900e518f8b3581d3 94121 admin optional logcheck_1.2.38.tar.gz
 520c27384c61dc06f55a9698c42b7bbf 44576 admin optional logcheck_1.2.38_all.deb
 70e46d26fa902d29668d16f1f7186af4 61472 admin optional
logcheck-database_1.2.38_all.deb
 6931679c977e9f6025ebbd4e7ccca586 27374 admin optional logtail_1.2.38_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCZH8R4u3oQ3FHP2YRAlR7AJ9f78c4NhflMsODo+Ov+/zR5bWNZACeJy+n
3OqLY4B4e4FxveJ3bkIPBUU=riHA
-----END PGP SIGNATURE-----