reassign 381695 schroot tags 381695 + confirmed patch thanks Helge Kreutzmann <[EMAIL PROTECTED]> writes:
> A while ago testing upgraded to 0.99.2-2, which was broken as it > [...] verbosly logged the action of the users of dchroot. > Unfortunately, b) is not yet fixed. This is the first time it has been reported. schroot has behaved this way since last year (0.1.x). > Before upgrading to 0.99.2-2 I could use dchroot to call binaries in > my sid ia-32 chroot from an ordinary user account without leaving any > trace in system logs 0.99.0 and 0.99.1 also behaved in the same way. Did you upgrade from 0.13 and miss those releases out? > Aug 6 15:55:46 remaxp schroot[30014]: [ia32 chroot] (helge->helge) Running > command: "/bin/bash -c mplayer /tmp/movie.rm" > in /var/log/messages. > This severly intrudes privacy of the user, who even are unable to > stop this (note about shell history above). For a private machine > this is less severe, but if employed in a working environment, this > could be used to trace (part of) the work of the employees, which is > illegal in many cases here in Germany (unless specifically agreed in > certain circumstances, in cases of immediate danger, by court order > or if a direct suspicion of abuse exists and certain representatives > of the employees agreed on a case-by-case basis). The reason why the logging is performed is because the schroot service may be used to gain root access (even without a password, if so configured; see root-users and root-groups in schroot.conf(5) and switch users. As a result, the commands being run are logged, just as they are with the su and sudo commands (schroot is implementing their functionality). The attached patch will log the command or shell if: * running as root * switching to root * switching to another user But will not log if * the user is the same (not switching) and is not root Is this acceptable? When running as root, or switching to another user, there are security concerns which make logging advisable. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please sign and encrypt your mail.
Index: sbuild/sbuild-session.cc
===================================================================
--- sbuild/sbuild-session.cc (revision 990)
+++ sbuild/sbuild-session.cc (working copy)
@@ -754,22 +754,24 @@
log_debug(DEBUG_NOTICE)
<< format("Running login shell: %1%") % shell << endl;
- syslog(LOG_USER|LOG_NOTICE,
- "[%s chroot] (%s->%s) Running login shell: '%s'",
- session_chroot->get_name().c_str(),
- get_ruser().c_str(), get_user().c_str(),
- shell.c_str());
+ if (get_uid() == 0 || get_ruid() != get_uid())
+ syslog(LOG_USER|LOG_NOTICE,
+ "[%s chroot] (%s->%s) Running login shell: '%s'",
+ session_chroot->get_name().c_str(),
+ get_ruser().c_str(), get_user().c_str(),
+ shell.c_str());
}
else
{
command.push_back(shell);
log_debug(DEBUG_NOTICE)
<< format("Running shell: %1%") % shell << endl;
- syslog(LOG_USER|LOG_NOTICE,
- "[%s chroot] (%s->%s) Running shell: '%s'",
- session_chroot->get_name().c_str(),
- get_ruser().c_str(), get_user().c_str(),
- shell.c_str());
+ if (get_uid() == 0 || get_ruid() != get_uid())
+ syslog(LOG_USER|LOG_NOTICE,
+ "[%s chroot] (%s->%s) Running shell: '%s'",
+ session_chroot->get_name().c_str(),
+ get_ruser().c_str(), get_user().c_str(),
+ shell.c_str());
}
if (get_verbosity() != auth::VERBOSITY_QUIET)
@@ -831,8 +833,9 @@
std::string commandstring = string_list_to_string(command, " ");
log_debug(DEBUG_NOTICE)
<< format("Running command: %1%") % commandstring << endl;
- syslog(LOG_USER|LOG_NOTICE, "[%s chroot] (%s->%s) Running command: \"%s\"",
- session_chroot->get_name().c_str(), get_ruser().c_str(), get_user().c_str(), commandstring.c_str());
+ if (get_uid() == 0 || get_ruid() != get_uid())
+ syslog(LOG_USER|LOG_NOTICE, "[%s chroot] (%s->%s) Running command: \"%s\"",
+ session_chroot->get_name().c_str(), get_ruser().c_str(), get_user().c_str(), commandstring.c_str());
if (get_verbosity() != auth::VERBOSITY_QUIET)
{
Index: debian/changelog
===================================================================
--- debian/changelog (revision 990)
+++ debian/changelog (working copy)
@@ -1,8 +1,13 @@
schroot (1.0.2-1) UNRELEASED; urgency=low
* New upstream release.
+ * sbuild/sbuild-session.cc: The syslog logging of the command or shell
+ being run in the chroot now only occurs when running as root or
+ switching to another user. If the user is the same inside and outside
+ the chroot, and not root, the command or shell being run will not be
+ logged. Thanks to Helge Kreutzmann (Closes: #381695).
- -- Roger Leigh <[EMAIL PROTECTED]> Sun, 6 Aug 2006 21:43:20 +0100
+ -- Roger Leigh <[EMAIL PROTECTED]> Sun, 6 Aug 2006 21:44:21 +0100
schroot (1.0.1-1) unstable; urgency=low
Index: ChangeLog
===================================================================
--- ChangeLog (revision 990)
+++ ChangeLog (working copy)
@@ -1,5 +1,16 @@
2006-08-06 Roger Leigh <[EMAIL PROTECTED]>
+ * debian/changelog: Close #381695.
+
+ * NEWS: Document changed syslog behaviour.
+
+ * sbuild/sbuild-session.cc
+ (get_login_command, get_user_command): syslog logging of the
+ command or shell being run in the chroot now only occurs when
+ running as root or switching to another user.
+
+2006-08-06 Roger Leigh <[EMAIL PROTECTED]>
+
* debian/changelog: Bump version to 1.0.2.
* NEWS: Bump version to 1.0.2.
Index: NEWS
===================================================================
--- NEWS (revision 990)
+++ NEWS (working copy)
@@ -9,7 +9,11 @@
* Major changes in 1.0.2:
- Bugfixes and translation updates only.
+ 1) The syslog logging of the command or shell being run in the
+ chroot now only occurs when running as root or switching to
+ another user. If the user is the same inside and outside the
+ chroot, and not root, the command or shell being run will not be
+ logged.
* Major changes in 1.0.1:
pgpp8bH3LvR3z.pgp
Description: PGP signature
