Description of problem: If you're rotating logs in directories that are writable by users other than root, those users can run commands as root quite easily. Version-Release number of selected component (if applicable): logrotate-3.6.5-2 How reproducible: Always Steps to Reproduce: 1. First, create a user called "testuser": # useradd testuser 2. Create a file called "/etc/logrotate.d/test" with the contents: /home/testuser/*.log { daily compress } 3. Then: # su - testuser $ echo something > "';echo -n 'This command is running as ';whoami;'.log" $ exit # /usr/sbin/logrotate -f /etc/logrotate.conf Actual Results: gzip: /home/testuser/ is a directory -- ignored This command is running as root sh: line 1: .log.1: command not found failed to compress log /home/testuser/';echo -n 'This command is running as ';whoami;'.log.1 As can be seen, it executed the 'echo' and 'whoami' commands we embedded into the log filename. ("This command is running as root") Other mischievous things are obviously possible, such as halting the system (by embedding a "halt" command instead). Expected Results: It shouldn't have executed those commands. Additional info: It appears an attempt to fix this was before (see #21348) but clearly the fix was not complete...
Solution is to not point logrotate at directories writeable by untrusted users. Supporting that is just way beyond the design goals. 21348 was intended to fix common-but-odd filenames, not security issues.
Why must it be that way? I don't think it's asking too much to "fix" this. logrotate just needs to escape ' characters properly. Instead of simply placing ' ' characters around the filename as it does now: gzip -9 '';echo -n 'This command is running as ';whoami;'.log' it should also escape any ' characters inside the filename: gzip -9 ''\'';echo -n '\''This command is running as '\'';whoami;'\''.log' If I were to create a patch that does this, would you include it...? BTW, I think this problem *may* also be exploitable on directories writable only by root, e.g. in the case of Samba where it creates log filenames based on the machine name provided by the client.
Sure, the bug is real and you're probably right about the samba thing, so patches welcome.
Created attachment 88309 [details] Fix
In the attached patch, I identified and fixed 5 places where filenames were passed to system() without proper escaping: - 1 when calling scripts - 2 when compressing - 2 when mailing I tested each case, and I'm pretty sure it all works...
applied