Bug 736045
Summary: | logrotate has insufficient configuration syntax checking | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Matti Kurkela <matti.kurkela> | ||||
Component: | logrotate | Assignee: | Jan Kaluža <jkaluza> | ||||
Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 5.6 | CC: | azelinka, tsmetana | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | logrotate-3.7.4-13 | Doc Type: | Bug Fix | ||||
Doc Text: |
Cause: Logrotate did not check for proper matching of brackets in config file.
Consequence: This could lead to system files being removed because Logrotate didn't detect the config file error and didn't stop the rotation process for the particular config file.
Fix: Logrotate now checks brackets presence and their matching.
Result: Config file with bad syntax described above is skipped.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 736053 (view as bug list) | Environment: | |||||
Last Closed: | 2012-06-04 09:51:35 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 736053, 736054 | ||||||
Attachments: |
|
Thanks for the report. It's already fixed in logrotate upstream repository and patch ([1] ,[2]) can be backported. [1] https://fedorahosted.org/logrotate/changeset/344 [2] https://fedorahosted.org/logrotate/changeset/345 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Logrotate did not check for proper matching of brackets in config file. Consequence: This could lead to system files being removed because Logrotate didn't detect the config file error and didn't stop the rotation process for the particular config file. Fix: Logrotate now checks brackets presence and their matching. Result: Config file with bad syntax described above is skipped. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0704.html |
Created attachment 521678 [details] My email to logrotate-owner Description of problem: Logrotate may inadvertently replace essential system files like /dev/null and /bin/kill with zero-length files if a single "{" character is omitted. Version-Release number of selected component (if applicable): logrotate-3.7.4 (according to logrotate changelog, still unfixed in logrotate-3.8.0, which is the current upstream version) How reproducible: always Steps to Reproduce: 1. edit standard RHEL 5.6 /etc/logrotate.d/syslog configuration file, removing the "{" from the line that lists /var/log/secure and other syslog logfiles 2. run /etc/cron.daily/logrotate Actual results: When "{" is missing, any valid filenames contained in the options block will be replaced with zero-length files, including /bin/kill, /var/run/[r]syslogd.pid, and /dev/null. Options that don't match to valid filenames will produce error messages, but logrotate will keep going. The /var/lib/logrotate.state file will contain lines that indicate the "filenames" logrotate has attempted to rotate. (This will be useful in restoring the system to normal.) Expected results: Logrotate should detect an unexpected "}" character while parsing the configuration file, produce an error message about configuration file syntax error (e.g. "unexpected '}' in file %s line %d, possible missing '{' earlier"), and stop without rotating anything. Alternatively, ignoring the current included configuration file and/or all log files specified after the last valid { ... } block would be acceptable too. Additional info: I contacted Jan Kaluza (logrotate-owner). Email attached. He agreed this should be fixed.