| Summary: | logrotate has insufficient configuration syntax checking | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Matti Kurkela <matti.kurkela> | ||||
| Component: | logrotate | Assignee: | Jan Kaluža <jkaluza> | ||||
| Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 5.6 | CC: | azelinka, tsmetana | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | logrotate-3.7.4-13 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause: Logrotate did not check for proper matching of brackets in config file.
Consequence: This could lead to system files being removed because Logrotate didn't detect the config file error and didn't stop the rotation process for the particular config file.
Fix: Logrotate now checks brackets presence and their matching.
Result: Config file with bad syntax described above is skipped.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 736053 (view as bug list) | Environment: | |||||
| Last Closed: | 2012-06-04 09:51:35 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 736053, 736054 | ||||||
| Attachments: |
|
||||||
Thanks for the report. It's already fixed in logrotate upstream repository and patch ([1] ,[2]) can be backported. [1] https://fedorahosted.org/logrotate/changeset/344 [2] https://fedorahosted.org/logrotate/changeset/345
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: Logrotate did not check for proper matching of brackets in config file.
Consequence: This could lead to system files being removed because Logrotate didn't detect the config file error and didn't stop the rotation process for the particular config file.
Fix: Logrotate now checks brackets presence and their matching.
Result: Config file with bad syntax described above is skipped.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0704.html |
Created attachment 521678 [details] My email to logrotate-owner Description of problem: Logrotate may inadvertently replace essential system files like /dev/null and /bin/kill with zero-length files if a single "{" character is omitted. Version-Release number of selected component (if applicable): logrotate-3.7.4 (according to logrotate changelog, still unfixed in logrotate-3.8.0, which is the current upstream version) How reproducible: always Steps to Reproduce: 1. edit standard RHEL 5.6 /etc/logrotate.d/syslog configuration file, removing the "{" from the line that lists /var/log/secure and other syslog logfiles 2. run /etc/cron.daily/logrotate Actual results: When "{" is missing, any valid filenames contained in the options block will be replaced with zero-length files, including /bin/kill, /var/run/[r]syslogd.pid, and /dev/null. Options that don't match to valid filenames will produce error messages, but logrotate will keep going. The /var/lib/logrotate.state file will contain lines that indicate the "filenames" logrotate has attempted to rotate. (This will be useful in restoring the system to normal.) Expected results: Logrotate should detect an unexpected "}" character while parsing the configuration file, produce an error message about configuration file syntax error (e.g. "unexpected '}' in file %s line %d, possible missing '{' earlier"), and stop without rotating anything. Alternatively, ignoring the current included configuration file and/or all log files specified after the last valid { ... } block would be acceptable too. Additional info: I contacted Jan Kaluza (logrotate-owner). Email attached. He agreed this should be fixed.