Justin B Rye
2004-Jun-05 01:11 UTC
[Logcheck-devel] Bug#252784: logcheck: /etc/logcheck/* should be world-readable
Package: logcheck Version: 1.2.20a Severity: normal Tags: patch The archived logcheck-database bug #209048: "logcheck directories should be readable by group adm" claims to have been resolved; if you want to revive that one and merge this with it, go ahead, but note the more ambitious subject. The chgrp/chmod commands in logcheck.postinst currently set badly incoherent permissions: on the one hand, the files in /etc/logcheck are world-readable; on the other hand, the subdirectories are all "750 root:logcheck", so a mere adm-group member can't so much as list the rules files. Unreadability is pointless in files anyone can download copies of. And once that's fixed, the logcheck-group ownership is redundant. So what they really ought to be is something like "755 root:root". Suggested patch (against the logcheck-1.2.21 version) attached. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i586) Kernel: Linux 2.6.6 Locale: LANG=en_GB, LC_CTYPE=en_GB Versions of packages logcheck depends on: ii adduser 3.53 Add and remove users and groups ii cron 3.0pl1-83 management of regular background p ii debconf [debconf 1.4.25 Debian configuration management sy ii debianutils 2.8.2 Miscellaneous utilities specific t ii exim4 4.32-2 An MTA (Mail Transport Agent) ii exim4-daemon-lig 4.32-2 Lightweight version of the Exim (v ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.20a A database of system log rules for ii logtail 1.2.20a Returns parts of logfiles that hav ii mailx 1:8.1.2-0.20031014cvs-2 A simple mail user agent ii sysklogd [system 1.4.1-10 System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note: -- JBR Ankh kak! (Ancient Egyptian blessing) -------------- next part -------------- --- logcheck.postinst.old 2004-06-05 01:29:21.000000000 +0100 +++ logcheck.postinst.new 2004-06-05 01:34:59.000000000 +0100 @@ -45,15 +45,9 @@ chown -R logcheck:logcheck /var/lib/logcheck || true chown -R logcheck:logcheck /var/state/logcheck > /dev/null 2>&1 \ || true - chgrp -R logcheck /etc/logcheck || true - chmod 750 /etc/logcheck/ignore.d.paranoid || true - chmod 750 /etc/logcheck/ignore.d.workstation || true - chmod 750 /etc/logcheck/ignore.d.server || true - chmod 750 /etc/logcheck/cracking.d || true - chmod 750 /etc/logcheck/cracking.ignore.d || true - chmod 750 /etc/logcheck/violations.d || true - chmod 750 /etc/logcheck/violations.ignore.d || true - chmod -R g+rX /etc/logcheck || true + chown -R root:root /etc/logcheck || true + chmod -R +r /etc/logcheck || true + chmod +x /etc/logcheck/*.d* || true # just in case chown logcheck /var/lock/logcheck > /dev/null 2>&1 || true fi
maks attems
2004-Jun-05 17:14 UTC
Bug#252784: [Logcheck-devel] Bug#252784: logcheck: /etc/logcheck/* should be world-readable
hello justin, On Sat, 05 Jun 2004, Justin B Rye wrote: ..> The chgrp/chmod commands in logcheck.postinst currently set badly > incoherent permissions: on the one hand, the files in /etc/logcheck > are world-readable; on the other hand, the subdirectories are all > "750 root:logcheck", so a mere adm-group member can't so much as > list the rules files.the files are no longer world readable for latest logcheck in sid.> Unreadability is pointless in files anyone can download copies of.well the unreadability is important as it not only affects the known files of the logcheck package but also the local ruleset, who can very likely differ a lot from our upstream!> And once that's fixed, the logcheck-group ownership is redundant. > So what they really ought to be is something like "755 root:root". > Suggested patch (against the logcheck-1.2.21 version) attached.as aboves assumptions don't stand on current logcheck, you may want too reconsider your patch. anyways thanks for your bug report. regards maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040605/40680db2/attachment.pgp
Debian Bug Tracking System
2004-Jun-12 10:48 UTC
[Logcheck-devel] Bug#252784: marked as done (logcheck: /etc/logcheck/* should be world-readable)
Your message dated Sat, 12 Jun 2004 12:41:29 +0200 with message-id <20040612104129.GE1635 at sputnik.stro.at> and subject line Bug#252784: [Logcheck-devel] Bug#252784: logcheck: /etc/logcheck/* should be world-readable has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 5 Jun 2004 01:11:25 +0000>From bts at xibalba.demon.co.uk Fri Jun 04 18:11:25 2004Return-path: <bts at xibalba.demon.co.uk> Received: from anchor-post-36.mail.demon.net (anchor-post-37.mail.demon.net) [194.217.242.86] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BWPiW-0000oz-00; Fri, 04 Jun 2004 18:11:25 -0700 Received: from xibalba.demon.co.uk ([80.176.227.229]) by anchor-post-37.mail.demon.net with esmtp (Exim 3.35 #1) id 1BWPiV-00014R-0b for submit at bugs.debian.org; Sat, 05 Jun 2004 02:11:23 +0100 Date: Sat, 5 Jun 2004 02:11:41 +0100 From: Justin B Rye <jbr at edlug.org.uk> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck: /etc/logcheck/* should be world-readable Message-ID: <20040605011141.GA20977 at xibalba.demon.co.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline X-Reportbug-Version: 2.60 User-Agent: Mutt/1.5.5.1+cvs20040105i Sender: Spambuffer <bts at xibalba.demon.co.uk> Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,DRUGSPAM,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: logcheck Version: 1.2.20a Severity: normal Tags: patch The archived logcheck-database bug #209048: "logcheck directories should be readable by group adm" claims to have been resolved; if you want to revive that one and merge this with it, go ahead, but note the more ambitious subject. The chgrp/chmod commands in logcheck.postinst currently set badly incoherent permissions: on the one hand, the files in /etc/logcheck are world-readable; on the other hand, the subdirectories are all "750 root:logcheck", so a mere adm-group member can't so much as list the rules files. Unreadability is pointless in files anyone can download copies of. And once that's fixed, the logcheck-group ownership is redundant. So what they really ought to be is something like "755 root:root". Suggested patch (against the logcheck-1.2.21 version) attached. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i586) Kernel: Linux 2.6.6 Locale: LANG=en_GB, LC_CTYPE=en_GB Versions of packages logcheck depends on: ii adduser 3.53 Add and remove users and groups ii cron 3.0pl1-83 management of regular background p ii debconf [debconf 1.4.25 Debian configuration management sy ii debianutils 2.8.2 Miscellaneous utilities specific t ii exim4 4.32-2 An MTA (Mail Transport Agent) ii exim4-daemon-lig 4.32-2 Lightweight version of the Exim (v ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.20a A database of system log rules for ii logtail 1.2.20a Returns parts of logfiles that hav ii mailx 1:8.1.2-0.20031014cvs-2 A simple mail user agent ii sysklogd [system 1.4.1-10 System Logging Daemon -- debconf information: logcheck/changes: * logcheck/install-note: -- JBR Ankh kak! (Ancient Egyptian blessing) --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="logcheck.postinst.patch" --- logcheck.postinst.old 2004-06-05 01:29:21.000000000 +0100 +++ logcheck.postinst.new 2004-06-05 01:34:59.000000000 +0100 @@ -45,15 +45,9 @@ chown -R logcheck:logcheck /var/lib/logcheck || true chown -R logcheck:logcheck /var/state/logcheck > /dev/null 2>&1 \ || true - chgrp -R logcheck /etc/logcheck || true - chmod 750 /etc/logcheck/ignore.d.paranoid || true - chmod 750 /etc/logcheck/ignore.d.workstation || true - chmod 750 /etc/logcheck/ignore.d.server || true - chmod 750 /etc/logcheck/cracking.d || true - chmod 750 /etc/logcheck/cracking.ignore.d || true - chmod 750 /etc/logcheck/violations.d || true - chmod 750 /etc/logcheck/violations.ignore.d || true - chmod -R g+rX /etc/logcheck || true + chown -R root:root /etc/logcheck || true + chmod -R +r /etc/logcheck || true + chmod +x /etc/logcheck/*.d* || true # just in case chown logcheck /var/lock/logcheck > /dev/null 2>&1 || true fi --45Z9DzgjV8m4Oswq-- --------------------------------------- Received: (at 252784-done) by bugs.debian.org; 12 Jun 2004 10:41:40 +0000>From max at stro.at Sat Jun 12 03:41:40 2004Return-path: <max at stro.at> Received: from baikonur.stro.at [213.239.196.228] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BZ5xE-0005BI-00; Sat, 12 Jun 2004 03:41:40 -0700 Received: from localhost (localhost [127.0.0.1]) by baikonur.stro.at (Postfix) with ESMTP id 6C5035C08C for <252784-done at bugs.debian.org>; Sat, 12 Jun 2004 12:41:39 +0200 (CEST) Received: from baikonur.stro.at ([127.0.0.1]) by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26807-05 for <252784-done at bugs.debian.org>; Sat, 12 Jun 2004 12:41:20 +0200 (CEST) Received: from sputnik (unknown [62.47.128.156]) by baikonur.stro.at (Postfix) with ESMTP id 25CB65C049 for <252784-done at bugs.debian.org>; Sat, 12 Jun 2004 12:41:20 +0200 (CEST) Received: from max by sputnik with local (Exim 4.32) id 1BZ5x3-0002Cs-Sk for 252784-done at bugs.debian.org; Sat, 12 Jun 2004 12:41:29 +0200 Date: Sat, 12 Jun 2004 12:41:29 +0200 From: maks attems <debian at sternwelten.at> To: 252784-done at bugs.debian.org Subject: Re: Bug#252784: [Logcheck-devel] Bug#252784: logcheck: /etc/logcheck/* should be world-readable Message-ID: <20040612104129.GE1635 at sputnik.stro.at> References: <20040605011141.GA20977 at xibalba.demon.co.uk> <20040605171459.GA4230 at sputnik.stro.at> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hxkXGo8AKqTJ+9QI" Content-Disposition: inline In-Reply-To: <20040605171459.GA4230 at sputnik.stro.at> User-Agent: Mutt/1.5.5.1+cvs20040105i Sender: maximilian attems <max at stro.at> X-Virus-Scanned: by Amavis (ClamAV) at stro.at Delivered-To: 252784-done at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --hxkXGo8AKqTJ+9QI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline> On Sat, 05 Jun 2004, Justin B Rye wrote:this bug is one week old and it's assumptions didn't stand, no reply since. closing. maks --hxkXGo8AKqTJ+9QI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAyt3Z6//kSTNjoX0RAgiuAKCCT1cNgEHrl4lf+K9/NSgRMtWqoACfebmA ze49jauOpEcWrP5gJQIFWQU=BPqT -----END PGP SIGNATURE----- --hxkXGo8AKqTJ+9QI--