Your message dated Wed, 11 Oct 2023 19:49:06 +0000
with message-id <[email protected]>
and subject line Bug#688889: fixed in rsyslog 8.2310.0-1
has caused the Debian Bug report #688889,
regarding Dropping privileges by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
688889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688889
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rsyslog
Version: 5.8.11-1+b1
Severity: wishlist
Recent tests have shown that dropping privilegs is no longer an issue
when reading kernel messages with a recent enough Linux kernel [1].
There still might be issues with our non-Linux ports and when using
remote logging. Those need further investigation.
As for the implementation, using the same uid/gid as Ubuntu (which has
been using this feature for while) seems reasonable.
The rsyslog.conf needs to be changed to contain:
$FileOwner syslog
$FileGroup adm
$PrivDropToUser syslog
$PrivDropToGroup syslog
in postinst (before starting rsyslogd), we would need to create the
syslog system user:
# adduser --system --group --no-create-home --quiet syslog
We should also do a one-time migration of the old log files and properly
chown them.
We probably also need to check the logrotate configuration if it needs
any adjustments.
[1] http://bugs.debian.org/573980
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rsyslog depends on:
ii initscripts 2.88dsf-32
ii libc6 2.13-35
ii lsb-base 4.1+Debian7
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages rsyslog recommends:
ii logrotate 3.8.2-1
Versions of packages rsyslog suggests:
pn rsyslog-doc <none>
pn rsyslog-gnutls <none>
pn rsyslog-gssapi <none>
pn rsyslog-mysql | rsyslog-pgsql <none>
pn rsyslog-relp <none>
-- Configuration Files:
/etc/rsyslog.conf changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: rsyslog
Source-Version: 8.2310.0-1
Done: Michael Biebl <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rsyslog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <[email protected]> (supplier of updated rsyslog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Oct 2023 21:07:34 +0200
Source: rsyslog
Architecture: source
Version: 8.2310.0-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Biebl <[email protected]>
Changed-By: Michael Biebl <[email protected]>
Closes: 688889 771636
Changes:
rsyslog (8.2310.0-1) unstable; urgency=medium
.
* New upstream version 8.2310.0
* Enable various systemd sandboxing and security hardening features in
rsyslog.service (Closes: #688889, #771636)
Checksums-Sha1:
4ffd538bd89f06f1eacf550e02c7cdf6c1eb4762 3313 rsyslog_8.2310.0-1.dsc
702012a5ed36fe2a07bed78f80de1915787aac75 3349174 rsyslog_8.2310.0.orig.tar.gz
d9f9350784af1bc303b77a9a98d6225306b48679 30400 rsyslog_8.2310.0-1.debian.tar.xz
07a8df83d458c29a42ae01e1508c020c3259c6bc 8270
rsyslog_8.2310.0-1_source.buildinfo
Checksums-Sha256:
848cb880686d739743e9a4df306dd9a6d435a0b3f85c20985b2ed080bb54f444 3313
rsyslog_8.2310.0-1.dsc
20d9ce792bf0a7ed0703dbf0941490f8be655f48b55b4bebdc0827bbb0ddbf11 3349174
rsyslog_8.2310.0.orig.tar.gz
4091a901d8bf05d25baa83a025d860a26b9f1ef3a7b38c114683e6d9dde5763a 30400
rsyslog_8.2310.0-1.debian.tar.xz
12e34d7677fc33a6c87e49c10fae7bbad053592f04793a87f901b16e4177e574 8270
rsyslog_8.2310.0-1_source.buildinfo
Files:
6d1d53fcb0e9bb5f810578a9ca5dedae 3313 admin optional rsyslog_8.2310.0-1.dsc
e492884a5f64d2a069684fcb21171114 3349174 admin optional
rsyslog_8.2310.0.orig.tar.gz
31d87a959509b9441c05d301d2146897 30400 admin optional
rsyslog_8.2310.0-1.debian.tar.xz
15f1a32aa2e78375f18528ccca67f417 8270 admin optional
rsyslog_8.2310.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmUm9x0ACgkQauHfDWCP
ItyAzQ//UcMOtoT8mCmLMb58gddSHBKnPr/p3j2EXCJ94Mo+4wS+TvJ+CuAJHYb/
cxmgxXL5Y1Aeam1wqVMOugFNVDLfgkzwgkCfiJu4nHx7Ji5vmLmFtP1eTdvHK3vm
wC7R5p33+3fAa6okJViuoBvdEUQ7OxTm/5KlTc9OBXLZRD9YUYzp/FIb84ujD606
QphrihJCq+6SRycDhbtIgFael+6nJUE+E44RulqmGJPiguoXZ6t+uDKUkMms7ChZ
/AFVX/0VA1cAHZsGqyKQ2qen4Qcud80VH97Xk8byluJxSp8g/sYwXhGbMTXf1Qd9
Ywu0bDo8g7if2npWYezNAbteO6d9ecIFtyz/sZd06etM4cEo/XsvEM4mygTtI/i1
7usl5/AqJx4Dz9aAmbzIO5ZxUT9moBfgZAZ99JGPvSWNpbm1M5m/B0wVaD14uJJo
gEwBjVdFJlUB4lJ2vdWf2WN+aGcsBXB67JpxDq9YL8UTLVz7Xwwnj/SBjzWWO+V8
tSPURWloG0By2DqvC4Te0dM84coJLCi1w7ubDui8mtqjIGAFaYZUVS/2eWorZWj5
emsc5oUipvl6Sw9v7gEGD6Y2zoLpQD3H3obyzXmxZfocBfPskhxz2B5yR1G03XdW
8FYllznfxUsHi30A0/ibsW/VlqGEvAS5MCuOzQ5KwUkSmnd18/w=
=m0/I
-----END PGP SIGNATURE-----
--- End Message ---
