Skip to content

Avoid operating in insecure directories#455

Open
cgzones wants to merge 1 commit intologrotate:mainfrom
cgzones:wip
Open

Avoid operating in insecure directories#455
cgzones wants to merge 1 commit intologrotate:mainfrom
cgzones:wip

Conversation

@cgzones
Copy link
Member

@cgzones cgzones commented Aug 2, 2022
edited
Loading

Logrotate is known to be affected by race conditions when operating
on files in "insecure" directories1. Since logrotate is commonly run
as root this can lead to privilege escalation[2,3].

Ensure log and olddir directories are "secure"4, i.e. owned by a
foreign non-root user or group-writable and owned by a foreign non-root
user or world-writable and sticky-bit not set.

Add a new directive 'allownonsecuredir' as last resort to allow rotation
in such directories.

Supersedes: #237

@kdudka
Copy link
Member

kdudka commented Aug 3, 2022

Why do we need to cache uid and gid of logrotate process?

kdudka
kdudka requested changes Sep 8, 2022
View reviewed changes
Copy link
Member

@kdudka kdudka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this pull request make #237 obsolete?

@cgzones cgzones mentioned this pull request Sep 23, 2022
Merged
@cgzones cgzones force-pushed the wip branch 2 times, most recently from 745b42c to 50701b9 Compare September 27, 2022 15:00
@kdudka kdudka mentioned this pull request Oct 25, 2022
Closed
@cgzones cgzones force-pushed the wip branch 2 times, most recently from 755d9d4 to 5441eb3 Compare March 20, 2024 20:33
@cgzones cgzones marked this pull request as ready for review July 27, 2024 10:39
@cgzones cgzones mentioned this pull request Jul 27, 2024
Open
kdudka
kdudka reviewed Jul 29, 2024
View reviewed changes
kdudka
kdudka approved these changes Aug 2, 2024
View reviewed changes
@kdudka kdudka requested a review from jamacku August 2, 2024 16:27
@cgzones
Avoid operating in insecure directories
e56ec8a 
Logrotate is known to be affected by race conditions when operating
on files in "insecure" directories[1].  Since logrotate is commonly run
as root this can lead to privilege escalation[2,3].

Ensure log and olddir directories are "secure"[4], i.e. owned by a
foreign non-root user or group-writable and owned by a foreign non-root
user or world-writable and sticky-bit not set.

Add a new directive 'allownonsecuredir' as last resort to allow rotation
in such directories.

[1]: https://github.com/whotwagner/logrotten
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1705143
[3]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4380
[4]: https://wiki.sei.cmu.edu/confluence/display/c/FIO15-C.+Ensure+that+file+operations+are+performed+in+a+secure+directory

Supersedes: logrotate#237
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kdudka kdudka kdudka approved these changes

@jamacku jamacku Awaiting requested review from jamacku

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cgzones @kdudka