Your message dated Tue, 21 Jan 2020 10:05:27 +0000 with message-id <[email protected]> and subject line Bug#948283: fixed in tinyproxy 1.10.0-3 has caused the Debian Bug report #948283, regarding tinyproxy: If no PidFile is configured logrotate will change the owner of the root directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 948283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948283 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tinyproxy Version: 1.10.0-2 Severity: critical Justification: breaks unrelated software Dear Maintainer, * What led up to the situation? I configured tinyproxy without a PidFile. * What exactly did you do (or not do) that was effective (or ineffective)? I removed the PidFile configuration option from tinyproxy.conf * What was the outcome of this action? The next run of logrotate changed the owner and group of my root directory (`/`) to tinyproxy:tinyproxy. * What outcome did you expect instead? I expected that not to happen. Example demonstrating the issue in a fresh VM: root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:51:41.524000000 +0100 Birth: - root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy Selecting previously unselected package tinyproxy-bin. (Reading database ... 35006 files and directories currently installed.) Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ... Unpacking tinyproxy-bin (1.10.0-2) ... Selecting previously unselected package tinyproxy. Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ... Unpacking tinyproxy (1.10.0-2) ... Setting up tinyproxy-bin (1.10.0-2) ... Setting up tinyproxy (1.10.0-2) ... Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service → /lib/systemd/system/tinyproxy.service. Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u2) ... root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf # PidFile: Write the PID of the main tinyproxy thread to this file so it PidFile "/run/tinyproxy/tinyproxy.pid" root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:53:05.254019354 +0100 Birth: - Note that tinyproxy does not start up with this configuration, because systemd expects the PidFile to appear. For the machine where I noticed this issue I also adjusted the systemd unit to be of `Type=simple`. While this configuration might not be common and not encountered by the average user it introduced a possible security hole in my system and even if this might not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles: Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path transition / → /var during canonicalization of /var. Thus I feel the severity of `critical` is justified for this bug report. Best regards Tim Düsterhus -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages tinyproxy depends on: ii adduser 3.118 ii logrotate 3.14.0-4 ii lsb-base 10.2019051400 ii tinyproxy-bin 1.10.0-2 tinyproxy recommends no packages. tinyproxy suggests no packages. -- Configuration Files: /etc/tinyproxy/tinyproxy.conf changed: User tinyproxy Group tinyproxy Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" LogFile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" ConnectPort 443 ConnectPort 563 -- no debconf information
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.10.0-3 We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <[email protected]> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 21 Jan 2020 10:37:45 +0100 Source: tinyproxy Architecture: source Version: 1.10.0-3 Distribution: unstable Urgency: medium Maintainer: Mike Gabriel <[email protected]> Changed-By: Mike Gabriel <[email protected]> Closes: 948283 Changes: tinyproxy (1.10.0-3) unstable; urgency=medium . * debian/tinyproxy.init: + Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes: #948283). + Tab-indentation cleanup (whitespace only). + Drop usage of chgrp, check for non-zero length USER and GROUP variables. Checksums-Sha1: 5d802ef1db429154d76a6c37866bd2a0ba3749c7 2261 tinyproxy_1.10.0-3.dsc 53a80659b86d0afa92afa5110a56c6b93abfffc1 24064 tinyproxy_1.10.0-3.debian.tar.xz c0e94f020f1d11ae0047bfd5c9b58eb08a079972 7114 tinyproxy_1.10.0-3_source.buildinfo Checksums-Sha256: cd89cec5d6920140828fa46c2f707c1a06e7a660faf1c20daee2d8fee42b0a3c 2261 tinyproxy_1.10.0-3.dsc 2130331de6f06051ea1b84c39c797a8a4f71e6172f3ae1df1ffbb85f9a94dd94 24064 tinyproxy_1.10.0-3.debian.tar.xz 25b8b3d6f323cd89e6023fef54a0027c95b3a460ad92cc2ec6ac893aa86aee84 7114 tinyproxy_1.10.0-3_source.buildinfo Files: 6d907ec30bdcbd014f8f58886c16f840 2261 web optional tinyproxy_1.10.0-3.dsc d5fcb6bb99df7c66215a6047e531761d 24064 web optional tinyproxy_1.10.0-3.debian.tar.xz f4daa229b1bf832321314ef41675f04a 7114 web optional tinyproxy_1.10.0-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4mxsYVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxsacP/i2Ckf9jhaCPNNo9Tu0Wd5W7pOUU 2Hy/RI522BL2f0uqidD7RJIhfr6wjABP0pPE1pi+ZK1cVPsqHgu2Nc3wjd1SEsNs Ln18pXk6Yiug2/j3WSz4DkXSPnYO0hSGG4J2yxyh0qB2LDMhq2stiG13By7KEhmK Zcbs7s4DXLyWvAcvfUQ8vUd/GEQnSZaIfllfX1rzrfEr44mInmCdX83X2QFYFk+V G/RAeamOeLSd4htv1G7zzNpVEHTVP26u84P4NC17cshJgeVADU4zovLXcf5qTC7/ RKO8lxC6d5WhrA8U2LsytBGTYHTpdrEhj6wV53LaZM9IlstbjdVO7oYvjgbqlJmT 842S77Ja2De/5dhvm2Ddxgbul1rMB4Dyjxe3Gqdd132uToHJ2Yr9tvMZ8Dd4CaYl bWh9Ibp7ebjmj5rk64WgXcQvHKnUQRfhRB7+GRlP/VbCpIbn7oYZXbsMJBWjS8DQ FO7fmf2bBy6RBPt0OODbIklre9b8BnlETYNMBoQNRS8jzf/PpnycNSwcwhwwTIz3 t9SN55/ZA4OIq2itDc9TyIPQq/gVhCC7spjBRmNKhYn1FQvYJmMIle+dsPG/Ui5a EFFuey2wSorq9SRzYsks0ik4lKPyyi0P5Txg+7ypcDf6i/b+F5Y6BNNp1fXV7+R4 j82gFiX5Wb2x8BZC =vZap -----END PGP SIGNATURE-----
--- End Message ---
