File logrotate-3.7.9-su.diff of Package logrotate.361

From 2ceb9af5b48bacd8c7327a8b9b1c42848c24cdd9 Mon Sep 17 00:00:00 2001
From: jkaluza <jkaluza@ec1272ba-9ed1-42ef-8245-99669996828e>
Date: Wed, 9 Mar 2011 09:41:46 +0000
Subject: [PATCH logrotate] Backport svn rev 317, 358-360 (bnc#677335)

- don't accept service owned log directories anymore
- don't run external programs with uid != euid
  - switch euid back to root before running external scripts
  - run compressors and shred as unprivileged user
- add O_NOFOLLOW when opening files as safeguard against symlink tricks
- add "su" config option
---
 config.c    |   45 ++++++++++++++++++
 logrotate.8 |    5 ++
 logrotate.c |  143 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 logrotate.h |    3 +
 4 files changed, 183 insertions(+), 13 deletions(-)

diff --git a/config.c b/config.c
index 652cbe9..f2ad04e 100644
--- a/config.c
+++ b/config.c
@@ -440,6 +440,8 @@ int readAllConfigPaths(const char **paths)
 		.createMode = NO_MODE,
 		.createUid = NO_UID,
 		.createGid = NO_GID,
+		.suUid = 0,
+		.suGid = 0,
 		.compress_options_list = NULL,
 		.compress_options_count = 0
     };
@@ -752,6 +754,49 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
 		newlog->flags &= ~LOG_FLAG_MAILFIRST;
 
 		*endtag = oldchar, start = endtag;
+	    } else if (!strcmp(start, "su")) {
+		*endtag = oldchar, start = endtag;
+
+		endtag = start;
+		while (*endtag != '\n')
+		    endtag++;
+		while (isspace(*endtag))
+		    endtag--;
+		endtag++;
+		oldchar = *endtag, *endtag = '\0';
+
+		rc = sscanf(start, "%200s %200s%c", createOwner,
+			createGroup, &foo);
+		if (rc == 3) {
+		    message(MESS_ERROR, "%s:%d extra arguments for "
+			    "su\n", configFile, lineNum);
+		    return 1;
+		}
+
+		if (rc > 0) {
+		    pw = getpwnam(createOwner);
+		    if (!pw) {
+			message(MESS_ERROR, "%s:%d unknown user '%s'\n",
+				configFile, lineNum, createOwner);
+			return 1;
+		    }
+		    newlog->suUid = pw->pw_uid;
+		    endpwent();
+		}
+		if (rc > 1) {
+		    group = getgrnam(createGroup);
+		    if (!group) {
+			message(MESS_ERROR, "%s:%d unknown group '%s'\n",
+				configFile, lineNum, createGroup);
+			return 1;
+		    }
+		    newlog->suGid = group->gr_gid;
+		    endgrent();
+		}
+
+		newlog->flags |= LOG_FLAG_SU;
+
+		*endtag = oldchar, start = endtag;
 	    } else if (!strcmp(start, "create")) {
 		*endtag = oldchar, start = endtag;
 
diff --git a/logrotate.8 b/logrotate.8
index 93d5c6a..54a5460 100644
--- a/logrotate.8
+++ b/logrotate.8
@@ -460,6 +460,11 @@ be created with a .9, skipping 0-8.  Files will still be rotated the
 number of times specified with the \fBcount\fR directive.
 
 .TP
+\fBsu \fIuser\fR \fIgroup\fR
+Rotate log files with the specified user and group instead of using
+the default (usually root).
+
+.TP
 \fBtabooext\fR [+] \fIlist\fR
 The current taboo extension list is changed (see the \fBinclude\fR directive
 for information on the taboo extensions). If a + precedes the list of
diff --git a/logrotate.c b/logrotate.c
index aa405ee..5e4c27a 100644
--- a/logrotate.c
+++ b/logrotate.c
@@ -76,6 +76,8 @@ const char * compress_cmd_list[][2] = {
 };
 
 time_t nowSecs = 0;
+static uid_t save_euid;
+static gid_t save_egid;
 
 static int shred_file(int fd, char *filename, struct logInfo *log);
 
@@ -88,6 +90,48 @@ static int globerr(const char *pathname, int theerr)
     return 1;
 }
 
+int switch_user(uid_t user, gid_t group) {
+	save_egid = getegid();
+	save_euid = geteuid();
+	if (save_euid == user && save_egid == group)
+		return 0;
+	message(MESS_DEBUG, "switching euid to %d and egid to %d\n",
+		user, group);
+	if (setegid(group) || seteuid(user)) {
+		message(MESS_ERROR, "error switching euid to %d and egid to %d: %s\n",
+			user, group, strerror(errno));
+		return 1;
+	}
+	return 0;
+}
+
+int switch_user_back() {
+	return switch_user(save_euid, save_egid);
+}
+
+int switch_user_permanently(const struct logInfo *log) {
+	gid_t group = getegid();
+	uid_t user = geteuid();
+	if (!(log->flags & LOG_FLAG_SU)) {
+		return 0;
+	}
+	if (getuid() == user && getgid() == group)
+		return 0;
+	// switch to full root first
+	if (setgid(getgid()) || setuid(getuid())) {
+		message(MESS_ERROR, "error getting rid of euid != uid\n");
+		return 1;
+	}
+	message(MESS_DEBUG, "switching uid to %d and gid to %d\n",
+		user, group);
+	if (setgid(group) || setuid(user)) {
+		message(MESS_ERROR, "error switching euid to %d and egid to %d: %s\n",
+			user, group, strerror(errno));
+		return 1;
+	}
+	return 0;
+}
+
 static void unescape(char *arg)
 {
 	char *p = arg;
@@ -215,7 +259,7 @@ static struct logState *findState(const char *fn)
 	return p;
 }
 
-static int runScript(char *logfn, char *script)
+static int runScript(struct logInfo *log, char *logfn, char *script)
 {
     int rc;
 
@@ -226,6 +270,12 @@ static int runScript(char *logfn, char *script)
     }
 
 	if (!fork()) {
+		if (log->flags & LOG_FLAG_SU) {
+			if (switch_user_back() != 0) {
+				exit(1);
+			}
+		}
+
 		execl("/bin/sh", "sh", "-c", script, "logrotate_script", logfn, NULL);
 		exit(1);
 	}
@@ -304,6 +354,10 @@ static int shred_file(int fd, char *filename, struct logInfo *log)
 		dup2(fd, 1);
 		close(fd);
 
+		if (switch_user_permanently(log) != 0) {
+			exit(1);
+		}
+
 		execvp(fullCommand[0], (void *) fullCommand);
 		exit(1);
 		}
@@ -325,7 +379,7 @@ static int removeLogFile(char *name, struct logInfo *log)
 	int fd;
     message(MESS_DEBUG, "removing old log %s\n", name);
 
-	if ((fd = open(name, O_RDWR)) < 0) {
+	if ((fd = open(name, O_RDWR | O_NOFOLLOW)) < 0) {
 		message(MESS_ERROR, "error opening %s: %s\n",
 			name, strerror(errno));
 		return 1;
@@ -366,7 +420,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
     compressedName = alloca(strlen(name) + strlen(log->compress_ext) + 2);
     sprintf(compressedName, "%s%s", name, log->compress_ext);
 
-    if ((inFile = open(name, O_RDWR)) < 0) {
+    if ((inFile = open(name, O_RDWR | O_NOFOLLOW)) < 0) {
 	message(MESS_ERROR, "unable to open %s for compression\n", name);
 	return 1;
     }
@@ -384,6 +438,10 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
 	dup2(outFile, 1);
 	close(outFile);
 
+	if (switch_user_permanently(log) != 0) {
+		exit(1);
+	}
+
 	execvp(fullCommand[0], (void *) fullCommand);
 	exit(1);
     }
@@ -409,7 +467,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
     return 0;
 }
 
-static int mailLog(char *logFile, char *mailCommand,
+static int mailLog(const struct logInfo *log, char *logFile, char *mailCommand,
 		   char *uncompressCommand, char *address, char *subject)
 {
     int mailInput;
@@ -419,7 +477,7 @@ static int mailLog(char *logFile, char *mailCommand,
     char *mailArgv[] = { mailCommand, "-s", subject, address, NULL };
     int rc = 0;
 
-    if ((mailInput = open(logFile, O_RDONLY)) < 0) {
+    if ((mailInput = open(logFile, O_RDONLY | O_NOFOLLOW)) < 0) {
 	message(MESS_ERROR, "failed to open %s for mailing: %s\n", logFile,
 		strerror(errno));
 	return 1;
@@ -439,6 +497,9 @@ static int mailLog(char *logFile, char *mailCommand,
 			close(uncompressPipe[0]);
 			close(uncompressPipe[1]);
 
+			if (switch_user_permanently(log) != 0) {
+				exit(1);
+			}
 			execlp(uncompressCommand, uncompressCommand, NULL);
 			exit(1);
 		}
@@ -453,6 +514,13 @@ static int mailLog(char *logFile, char *mailCommand,
 	close(mailInput);
 	close(1);
 
+	// mail command runs as root
+	if (log->flags & LOG_FLAG_SU) {
+		if (switch_user_back() != 0) {
+			exit(1);
+		}
+	}
+
 	execvp(mailArgv[0], mailArgv);
 	exit(1);
     }
@@ -488,12 +556,12 @@ static int mailLogWrapper(char *mailFilename, char *mailCommand,
     if ((log->flags & LOG_FLAG_COMPRESS) &&
 	!((log->flags & LOG_FLAG_DELAYCOMPRESS) &&
 	  (log->flags & LOG_FLAG_MAILFIRST))) {
-	if (mailLog(mailFilename, mailCommand,
+	if (mailLog(log, mailFilename, mailCommand,
 		    log->uncompress_prog, log->logAddress,
 		    log->files[logNum]))
 	    return 1;
     } else {
-	if (mailLog(mailFilename, mailCommand, NULL,
+	if (mailLog(log, mailFilename, mailCommand, NULL,
 		    log->logAddress, mailFilename))
 	    return 1;
     }
@@ -510,7 +578,7 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb,
     message(MESS_DEBUG, "copying %s to %s\n", currLog, saveLog);
 
     if (!debug) {
-	if ((fdcurr = open(currLog, (flags & LOG_FLAG_COPY) ? O_RDONLY : O_RDWR)) < 0) {
+	if ((fdcurr = open(currLog, ((flags & LOG_FLAG_COPY) ? O_RDONLY : O_RDWR) | O_NOFOLLOW)) < 0) {
 	    message(MESS_ERROR, "error opening %s: %s\n", currLog,
 		    strerror(errno));
 	    return 1;
@@ -608,6 +676,36 @@ int findNeedRotating(struct logInfo *log, int logNum)
 
     message(MESS_DEBUG, "considering log %s\n", log->files[logNum]);
 
+	/* Check if parent directory of this log has safe permissions */
+    if ((log->flags & LOG_FLAG_SU) == 0 && getuid() == 0) {
+	char *ld = ourDirName(log->files[logNum]);
+	if (stat(ld, &sb)) {
+	    /* If parent directory doesn't exist, it's not real error
+	       and rotation is not needed */
+	    if (errno != ENOENT) {
+		message(MESS_ERROR, "stat of %s failed: %s\n", ld,
+			strerror(errno));
+		free(ld);
+		return 1;
+	    }
+	    free(ld);
+	    return 0;
+	}
+	/* Don't rotate in directories writable by others or group which is not "root"  */
+	if (sb.st_uid != 0 || (sb.st_gid != 0 && sb.st_mode & S_IWGRP) || sb.st_mode & S_IWOTH) {
+	    message(MESS_ERROR, "\"%s\" has insecure permissions."
+		    " It must be owned and be writable by root only to avoid security problems."
+		    " Set the \"su\" directive in the config file to tell logrotate which user/group"
+		    " should be used for rotation.\n"
+		    , ld);
+#if 0 // accept nevertheless for now
+	    free(ld);
+	    return 0;
+#endif
+	}
+	free(ld);
+    }
+
     if (stat(log->files[logNum], &sb)) {
 	if ((log->flags & LOG_FLAG_MISSINGOK) && (errno == ENOENT)) {
 	    message(MESS_DEBUG, "  log %s does not exist -- skipping\n",
@@ -1114,7 +1212,7 @@ int rotateSingleLog(struct logInfo *log, int logNum, struct logState *state,
 			security_context_t oldContext = NULL;
 			int fdcurr = -1;
 
-			if ((fdcurr = open(log->files[logNum], O_RDWR)) < 0) {
+			if ((fdcurr = open(log->files[logNum], O_RDWR | O_NOFOLLOW)) < 0) {
 				message(MESS_ERROR, "error opening %s: %s\n",
 						log->files[logNum],
 					strerror(errno));
@@ -1333,6 +1431,12 @@ int rotateLogSet(struct logInfo *log, int force)
 	message(MESS_DEBUG, "old logs are removed\n");
     }
 
+    if (log->flags & LOG_FLAG_SU) {
+	if (switch_user(log->suUid, log->suGid) != 0) {
+	    return 1;
+	}
+    }
+
     for (i = 0; i < log->numFiles; i++) {
 	logHasErrors[i] = findNeedRotating(log, i);
 	hasErrors |= logHasErrors[i];
@@ -1348,10 +1452,17 @@ int rotateLogSet(struct logInfo *log, int force)
 		    "since no logs will be rotated\n");
 	} else {
 	    message(MESS_DEBUG, "running first action script\n");
-	    if (runScript(log->pattern, log->first)) {
+	    if (runScript(log, log->pattern, log->first)) {
 		message(MESS_ERROR, "error running first action script "
 			"for %s\n", log->pattern);
 		hasErrors = 1;
+
+		if (log->flags & LOG_FLAG_SU) {
+		    if (switch_user_back() != 0) {
+			return 1;
+		    }
+		}
+
 		/* finish early, firstaction failed, affects all logs in set */
 		return hasErrors;
 	    }
@@ -1386,7 +1497,7 @@ int rotateLogSet(struct logInfo *log, int force)
 			"since no logs will be rotated\n");
 	    } else {
 		message(MESS_DEBUG, "running prerotate script\n");
-		if (runScript(log->flags & LOG_FLAG_SHAREDSCRIPTS ? log->pattern : log->files[j], log->pre)) {
+		if (runScript(log, log->flags & LOG_FLAG_SHAREDSCRIPTS ? log->pattern : log->files[j], log->pre)) {
 		    if (log->flags & LOG_FLAG_SHAREDSCRIPTS)
 			message(MESS_ERROR,
 				"error running shared prerotate script "
@@ -1421,7 +1532,7 @@ int rotateLogSet(struct logInfo *log, int force)
 			"since no logs were rotated\n");
 	    } else {
 		message(MESS_DEBUG, "running postrotate script\n");
-		if (runScript(log->flags & LOG_FLAG_SHAREDSCRIPTS ? log->pattern : log->files[j], log->post)) {
+		if (runScript(log, log->flags & LOG_FLAG_SHAREDSCRIPTS ? log->pattern : log->files[j], log->post)) {
 		    if (log->flags & LOG_FLAG_SHAREDSCRIPTS)
 			message(MESS_ERROR,
 				"error running shared postrotate script "
@@ -1467,7 +1578,7 @@ int rotateLogSet(struct logInfo *log, int force)
 		    "since no logs will be rotated\n");
 	} else {
 	    message(MESS_DEBUG, "running last action script\n");
-	    if (runScript(log->pattern, log->last)) {
+	    if (runScript(log, log->pattern, log->last)) {
 		message(MESS_ERROR, "error running last action script "
 			"for %s\n", log->pattern);
 		hasErrors = 1;
@@ -1475,6 +1586,12 @@ int rotateLogSet(struct logInfo *log, int force)
 	}
     }
 
+    if (log->flags & LOG_FLAG_SU) {
+	if (switch_user_back() != 0) {
+	    return 1;
+	}
+    }
+
     return hasErrors;
 }
 
diff --git a/logrotate.h b/logrotate.h
index 24e3ec0..1ac94b3 100644
--- a/logrotate.h
+++ b/logrotate.h
@@ -18,6 +18,7 @@
 #define LOG_FLAG_COPY		(1 << 8)
 #define LOG_FLAG_DATEEXT	(1 << 9)
 #define LOG_FLAG_SHRED		(1 << 10)
+#define LOG_FLAG_SU		(1 << 11)
 
 #define NO_MODE ((mode_t) -1)
 #define NO_UID  ((uid_t) -1)
@@ -51,6 +52,8 @@ struct logInfo {
     mode_t createMode;		/* if any/all of these are -1, we use the */
     uid_t createUid;		/* attributes from the log file just rotated */
     gid_t createGid;
+    uid_t suUid;			/* switch user to this uid and group to this gid */
+    gid_t suGid;
     /* these are at the end so they end up nil */
     const char **compress_options_list;
     int compress_options_count;
-- 
1.7.7