Your message dated Tue, 21 Jan 2020 10:35:01 +0000 with message-id <[email protected]> and subject line Bug#948283: fixed in tinyproxy 1.10.0-4 has caused the Debian Bug report #948283, regarding tinyproxy: If no PidFile is configured logrotate will change the owner of the root directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 948283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948283 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tinyproxy Version: 1.10.0-2 Severity: critical Justification: breaks unrelated software Dear Maintainer, * What led up to the situation? I configured tinyproxy without a PidFile. * What exactly did you do (or not do) that was effective (or ineffective)? I removed the PidFile configuration option from tinyproxy.conf * What was the outcome of this action? The next run of logrotate changed the owner and group of my root directory (`/`) to tinyproxy:tinyproxy. * What outcome did you expect instead? I expected that not to happen. Example demonstrating the issue in a fresh VM: root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:51:41.524000000 +0100 Birth: - root@debian-2gb-fsn1-1:~# apt-get install -yyyyqqqq tinyproxy Selecting previously unselected package tinyproxy-bin. (Reading database ... 35006 files and directories currently installed.) Preparing to unpack .../tinyproxy-bin_1.10.0-2_amd64.deb ... Unpacking tinyproxy-bin (1.10.0-2) ... Selecting previously unselected package tinyproxy. Preparing to unpack .../tinyproxy_1.10.0-2_all.deb ... Unpacking tinyproxy (1.10.0-2) ... Setting up tinyproxy-bin (1.10.0-2) ... Setting up tinyproxy (1.10.0-2) ... Created symlink /etc/systemd/system/multi-user.target.wants/tinyproxy.service → /lib/systemd/system/tinyproxy.service. Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u2) ... root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf # PidFile: Write the PID of the main tinyproxy thread to this file so it PidFile "/run/tinyproxy/tinyproxy.pid" root@debian-2gb-fsn1-1:~# sed -i '/PidFile/d' /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# grep PidFile /etc/tinyproxy/tinyproxy.conf root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# sed -i 's/2020/2019/g' /var/lib/logrotate/status root@debian-2gb-fsn1-1:~# systemctl start logrotate root@debian-2gb-fsn1-1:~# stat / File: / Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 2 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 106/tinyproxy) Gid: ( 112/tinyproxy) Access: 2019-12-08 05:11:02.514309382 +0100 Modify: 2020-01-06 01:51:41.524000000 +0100 Change: 2020-01-06 01:53:05.254019354 +0100 Birth: - Note that tinyproxy does not start up with this configuration, because systemd expects the PidFile to appear. For the machine where I noticed this issue I also adjusted the systemd unit to be of `Type=simple`. While this configuration might not be common and not encountered by the average user it introduced a possible security hole in my system and even if this might not be fully exploitable by the `tinyproxy` user it breaks systemd-tmpfiles: Jan 06 01:57:53 debian-2gb-fsn1-1 systemd-tmpfiles[282]: Detected unsafe path transition / → /var during canonicalization of /var. Thus I feel the severity of `critical` is justified for this bug report. Best regards Tim Düsterhus -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages tinyproxy depends on: ii adduser 3.118 ii logrotate 3.14.0-4 ii lsb-base 10.2019051400 ii tinyproxy-bin 1.10.0-2 tinyproxy recommends no packages. tinyproxy suggests no packages. -- Configuration Files: /etc/tinyproxy/tinyproxy.conf changed: User tinyproxy Group tinyproxy Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" LogFile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" ConnectPort 443 ConnectPort 563 -- no debconf information
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.10.0-4 We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <[email protected]> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 21 Jan 2020 11:14:47 +0100 Source: tinyproxy Architecture: source Version: 1.10.0-4 Distribution: unstable Urgency: medium Maintainer: Mike Gabriel <[email protected]> Changed-By: Mike Gabriel <[email protected]> Closes: 948283 Changes: tinyproxy (1.10.0-4) unstable; urgency=medium . * debian/tinyproxy.init: + Drop unconditional creation of PIDDIR. Follow-up for Vcs-Git commit b186fa94. Thanks to Unit193 for spotting this and also for the original patch. (Closes: #948283). Checksums-Sha1: 5f1f5d62c029b175cf6b11d69dd79be890f9e012 2261 tinyproxy_1.10.0-4.dsc e0cbeed972d1a8765870e11bc64a79337394f1c2 24112 tinyproxy_1.10.0-4.debian.tar.xz be8c74706741e2fc5b4041dfb54da2b82225d206 7114 tinyproxy_1.10.0-4_source.buildinfo Checksums-Sha256: 5b73c0775b864ed8ddcb2b467bc1579e9bafb817e9a2b166f8628f1360c73549 2261 tinyproxy_1.10.0-4.dsc 6b5e285498f46a4b7cf21b62c248c410b799dfce52ef892f11a99203082203e6 24112 tinyproxy_1.10.0-4.debian.tar.xz 8490057f12ffbc84876c6c82150456e604be16d0278c829ba06d4d6aa00734b4 7114 tinyproxy_1.10.0-4_source.buildinfo Files: e9be0a0a05c61546f5ab8144622a691c 2261 web optional tinyproxy_1.10.0-4.dsc adaf4fdeaf475eac837fec7c9c242e1c 24112 web optional tinyproxy_1.10.0-4.debian.tar.xz 71013725a2dcaa1779aa9bcdf957e298 7114 web optional tinyproxy_1.10.0-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4mz1gVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxL9EP/3TY3fou1VLQrjs2PQAvk1PomFTd 2DjvpoVezE0abj71vdLtPHHjFPo+cTjrOTGKxl+hB02Ff5DLgON0SCduTkMO+kef BoahndDGc/g1fa/Idl7Diw3DfvqVKxvInheUdQ4ytJTgbIPO398jz0KE/1PCXu43 vV/Yzk78c4xTWr37tWDHnwACfoGp9p5tnPH9fswsiAfAFESa5XtavSs8EZA/N71I RmSLXh4J/o8grtrGVEBoq9gVHBgxij1hNeAbkTrix96zn/20IBM9Hu80oOb5Oadk XpdwO9Le2r3YgpCNA7oHiZ/74zF/fWYwGPFxSl/D+I5krdjqrSOdVIYwxEk9CIMi jwwB6rX5nFuJOywO0NSEENxbNM5J8rT5LnFVC1frMsQfq48Zd9g63YapFIxcPpTE BMJAfktG+TEy3nAssZO+dBPTKC/uW1uhZ7+6ML7As2sd7+K1dXRr/N/zKy+TCBep BaoN4XsiVKBLWx/lMZkJpfOfCeHohh/uZO73MUePfqcVxsej8s5tOB9wrZRtaktG wwQpaYqvpbAWLUbsiZH9/BMXE70U8oY3IGtkS1QfPtNg0XH4vUT6tuN4x+aJqlQE qfLZ8yQUpvYCqPIJt/z6kLWu/sVZBRtGVHZvqjO/KC6TBv2gGN/ThBEkevmT7Wbz HcQZe747I3E5oPCR =h5tn -----END PGP SIGNATURE-----
--- End Message ---
