On Thu, Jan 30, 2014 at 02:28:35PM +0100, IServ wrote: > Package: webalizer > Version: 2.23.05-1 > Severity: normal > > Dear Maintainer, Dear Martin,
> > we have configured our logrotate to use the "dateext" flag for the Apache > access.log, that is, our logs are named as follows: > > dev2.iserv.eu ~ # ll /var/log/apache2/access.log* --sort=time | head > -rw-r----- 1 root adm 4929419 Jan 30 14:20 /var/log/apache2/access.log > lrwxrwxrwx 1 root root 36 Jan 30 00:00 /var/log/apache2/access.log.1 -> > /var/log/apache2/access.log-20140130 > -rw-r----- 1 root adm 9281394 Jan 29 23:59 > /var/log/apache2/access.log-20140130 > -rw-r----- 1 root adm 223778 Jan 29 00:00 > /var/log/apache2/access.log-20140129.gz > -rw-r----- 1 root adm 199630 Jan 27 23:59 > /var/log/apache2/access.log-20140128.gz > > We want webalizer to always read the last complete log (access.log.1 if you > don't use the "dateext" flag) and so we've written a shell script that sets up > a symlink after the log has been rotated (see the symlink access.log.1 in the > ls output above). This worked fine until we upgraded our machines to Debian > wheezy; since then, webalizer no longer works. If I run the command manually > I get this error message: > > dev2.iserv.eu ~ # LANG=C /usr/bin/webalizer -c /etc/webalizer/webalizer.conf > Webalizer V2.23-05 (Linux 3.10-0.bpo.3-amd64 x86_64) locale: > /var/log/apache2/access.log.1 > Error: Can't open log file /var/log/apache2/access.log.1 (symlink) > > I assume this is related to a symlink vulnerability that I've read about in > another bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359745). Yes it is. And this bug is quite old, I was not the maintainer at this time. Also old-stable (squeeze) should already had the fix so I'm a bit surprised that only the upgrade to wheezy revealed the issue. > > I don't see why a symlinked log would be unsafe though. I'm not sure either, > Is it possible that > the fix for the symlink vulnerability broke this unnecessarily? It definitely broke your use case. But from the security point of view I don't know if it was necessary or not. Also, given that the patch has been review and accepted upstream, I don't feel that confident to change it again... > Could the > original behaviour be restored so that our configuration works again? Even if I changed it now, it would go to jessie at best, so you'd need a backport anyway. So you can probably just build a local patched version. One way to fix your use case could be to update your shell script to use hardlink instead of symlink. Hope this helps ! Best Regards, Julien VdG P.S.: If anyone has some hints on the security implication of this symlink, please advise me ! -- Julien Viard de Galbert <jul...@vdg.blogsite.org> http://silicone.homelinux.org/ <jul...@silicone.homelinux.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
