Bug#603048: marked as done (rails: Gives dangerous advice regarding log permissions)

Debian Bug Tracking System Tue, 28 Dec 2010 12:36:38 -0800

Your message dated Tue, 28 Dec 2010 20:35:09 +0000
with message-id <e1pxggd-0005f9...@franck.debian.org>
and subject line Bug#603048: fixed in rails 2.3.5-1.2
has caused the Debian Bug report #603048,
regarding rails: Gives dangerous advice regarding log permissions
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
603048: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603048
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: rails
Version: 2.3.5-1.1
Severity: serious
Tags: security patch
Justification: 4

When spawning a process on a Rails by any user that is not the logfile
owner, the following IMHO dangerous advice is given:

    Rails Error: Unable to access log file. Please ensure that
    /home/webapps/servicio.iiec/log/production.log exists and is chmod
    0666. The log level has been raised to WARN and the output
    directed to STDERR until the problem is fixed.

Asking the administrator to make the log files mode 0666 would make
them vulnerable to modification or erasure by any system user. Even
given that many of Rails' users are not Unix-savvy, this should
clearly be rephrased.

This message is generated by the initialize_logger function of
Rails::Initializer, in
/usr/share/rails-ruby1.8/railties/lib/initializer.rb

I suggest the following wording:

--- /usr/share/rails-ruby1.8/railties/lib/initializer.rb        2010-08-26 
12:48:36.000000000 -0500
+++ /tmp/initializer.rb 2010-11-10 10:47:53.000000000 -0600
@@ -492,7 +492,7 @@
           logger = ActiveSupport::BufferedLogger.new(STDERR)
           logger.level = ActiveSupport::BufferedLogger::WARN
           logger.warn(
-            "Rails Error: Unable to access log file. Please ensure that 
#{configuration.log_path} exists and is chmod 0666. " +
+            "Rails Error: Unable to access log file. Please ensure that 
#{configuration.log_path} exists and is write-accessible to UID 
#{Process.euid}, GID #{Process.egid}. " +
             "The log level has been raised to WARN and the output directed to 
STDERR until the problem is fixed."
           )
         end


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rails depends on:
ii  rails-ruby1.8                 2.3.5-1.1  MVC ruby based framework geared fo

rails recommends no packages.

rails suggests no packages.

-- debconf-show failed

--- End Message ---

--- Begin Message ---

Source: rails
Source-Version: 2.3.5-1.2

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

libactionmailer-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/libactionmailer-ruby1.8_2.3.5-1.2_all.deb
libactionmailer-ruby_2.3.5-1.2_all.deb
  to main/r/rails/libactionmailer-ruby_2.3.5-1.2_all.deb
libactionpack-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/libactionpack-ruby1.8_2.3.5-1.2_all.deb
libactionpack-ruby_2.3.5-1.2_all.deb
  to main/r/rails/libactionpack-ruby_2.3.5-1.2_all.deb
libactiverecord-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/libactiverecord-ruby1.8_2.3.5-1.2_all.deb
libactiverecord-ruby1.9.1_2.3.5-1.2_all.deb
  to main/r/rails/libactiverecord-ruby1.9.1_2.3.5-1.2_all.deb
libactiverecord-ruby_2.3.5-1.2_all.deb
  to main/r/rails/libactiverecord-ruby_2.3.5-1.2_all.deb
libactiveresource-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/libactiveresource-ruby1.8_2.3.5-1.2_all.deb
libactiveresource-ruby_2.3.5-1.2_all.deb
  to main/r/rails/libactiveresource-ruby_2.3.5-1.2_all.deb
libactivesupport-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/libactivesupport-ruby1.8_2.3.5-1.2_all.deb
libactivesupport-ruby1.9.1_2.3.5-1.2_all.deb
  to main/r/rails/libactivesupport-ruby1.9.1_2.3.5-1.2_all.deb
libactivesupport-ruby_2.3.5-1.2_all.deb
  to main/r/rails/libactivesupport-ruby_2.3.5-1.2_all.deb
rails-doc_2.3.5-1.2_all.deb
  to main/r/rails/rails-doc_2.3.5-1.2_all.deb
rails-ruby1.8_2.3.5-1.2_all.deb
  to main/r/rails/rails-ruby1.8_2.3.5-1.2_all.deb
rails_2.3.5-1.2.debian.tar.gz
  to main/r/rails/rails_2.3.5-1.2.debian.tar.gz
rails_2.3.5-1.2.dsc
  to main/r/rails/rails_2.3.5-1.2.dsc
rails_2.3.5-1.2_all.deb
  to main/r/rails/rails_2.3.5-1.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 603...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mehdi Dogguy <me...@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Dec 2010 20:38:02 +0100
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby 
libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby 
libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby 
libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 
libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2
Distribution: unstable
Urgency: high
Maintainer: Adam Majer <ad...@zombino.com>
Changed-By: Mehdi Dogguy <me...@debian.org>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 583149 603048
Changes: 
 rails (2.3.5-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
 .
   [ Laurent Bigonville ]
   * Fix documentation about default listening address (Closes: #583149)
 .
   [ Gunnar Wolf ]
   * Modified a string that recommends the user to do Very Bad Things
     (Closes: #603048)
Checksums-Sha1: 
 83c31c416b0bbfcca4845056bd538631648f3b0c 2295 rails_2.3.5-1.2.dsc
 f7d94c1b7f5c52377c2dd200d72d417015432e01 17292 rails_2.3.5-1.2.debian.tar.gz
 f27bb3eae0a0b6319ae56d562a71cd977424b4f9 11638 rails_2.3.5-1.2_all.deb
 22e1677abca8b04286439579a088f1b6caeb0379 222020 rails-ruby1.8_2.3.5-1.2_all.deb
 1831a64deb56496427ea738ad281470a471a9099 886426 rails-doc_2.3.5-1.2_all.deb
 dce266980ce413ea46a8cb49306ce3c6a131a8c5 9136 
libactiverecord-ruby_2.3.5-1.2_all.deb
 dff55a458126c7ce55c2bdea136c05f35d8cbb3e 264566 
libactiverecord-ruby1.8_2.3.5-1.2_all.deb
 bb77a3dab896f4e1705ecd16c6083bc1958b8462 264590 
libactiverecord-ruby1.9.1_2.3.5-1.2_all.deb
 ebbfc3380b7d2062b2da931936ec0ea500e62acc 9066 
libactivesupport-ruby_2.3.5-1.2_all.deb
 66e570804666f9e7419b0810cf656775f3700844 257924 
libactivesupport-ruby1.8_2.3.5-1.2_all.deb
 4d9cd313cfb1cb3fbcd7f4a82c1e8617ec3d669d 257724 
libactivesupport-ruby1.9.1_2.3.5-1.2_all.deb
 98890521a57b28822824757e8447972230b13ce5 9202 
libactionpack-ruby_2.3.5-1.2_all.deb
 2ee2e0c40982234f88fa9957fd4d36ce2e36e814 321974 
libactionpack-ruby1.8_2.3.5-1.2_all.deb
 f1e1782b98f3a7feebe5631ced1a8757036e8118 9182 
libactionmailer-ruby_2.3.5-1.2_all.deb
 dcc9f1e6df31ec37cc4b8a2e15799ba7155f8b2e 31422 
libactionmailer-ruby1.8_2.3.5-1.2_all.deb
 966a527d1e1257d90421f960fe51f49914b0b4c6 9180 
libactiveresource-ruby_2.3.5-1.2_all.deb
 19af4bb43bc77aaf94a67eca7f8919c7739c1519 36578 
libactiveresource-ruby1.8_2.3.5-1.2_all.deb
Checksums-Sha256: 
 bc14366f2ae6a7e2aab45905e280e95bfd7438e95bf4e6112d333515503e48f6 2295 
rails_2.3.5-1.2.dsc
 4e281a24e5b229504c3e85c0650fa8cc41aa6ffaafe50ed9169c45249dcfa87b 17292 
rails_2.3.5-1.2.debian.tar.gz
 e56c1b0df8215dc224e5d20072197c9ad73c8829be4d554d3cd1f49366786739 11638 
rails_2.3.5-1.2_all.deb
 a36d29a81eb8d30577ef77c0a6e30bd2692c0c6253906ac5d9e1b08e09018271 222020 
rails-ruby1.8_2.3.5-1.2_all.deb
 21971c811971d254a2f42ed5991ddfafde4c5d8dfc156809bb4221bf103f2ace 886426 
rails-doc_2.3.5-1.2_all.deb
 15c809b302b32ad9c439491695c5124c28ee883e823da4bef55d9ad55c1141f3 9136 
libactiverecord-ruby_2.3.5-1.2_all.deb
 476db9c9e202b5da4a725070bbf34b6a855b277751ccf4374118f3470ebb03eb 264566 
libactiverecord-ruby1.8_2.3.5-1.2_all.deb
 c091c43def3df6fc925c16cff9c76b146852dc401368888947b917d047fdba39 264590 
libactiverecord-ruby1.9.1_2.3.5-1.2_all.deb
 08443db98b73737a15ef2d3c5a6fcff5baba4fb755a1a8cf01c2e8a223a9a24c 9066 
libactivesupport-ruby_2.3.5-1.2_all.deb
 e59a1bb565f1d7b9fe464ae7f0624f1b60b8dc8451b73a7e89ffa1edd7653779 257924 
libactivesupport-ruby1.8_2.3.5-1.2_all.deb
 d3faf322c58a249a9e9a1299a81628af8ae5cba41e62116a68b8ee2f3f23366a 257724 
libactivesupport-ruby1.9.1_2.3.5-1.2_all.deb
 5ad10f9e20cf5fdfc5033d678bc7a3db431824b1e74e5d133e2d9b49fb15b5dc 9202 
libactionpack-ruby_2.3.5-1.2_all.deb
 a2d62a3f7686e1e60de2299455b0aff7f03fd93112db437a1071de9db6689351 321974 
libactionpack-ruby1.8_2.3.5-1.2_all.deb
 166ed2438fca34276bb080c1ee5de9dadfb9dd8fc9e53c467e6114bc65906b9b 9182 
libactionmailer-ruby_2.3.5-1.2_all.deb
 d383ff170406d49933de0301a5bbe925043ecf0e26c5327d58824958bcc4c4bd 31422 
libactionmailer-ruby1.8_2.3.5-1.2_all.deb
 7b3c5cea214b631b3d8b9daa06b0326a0e8f5aacec0c89cd8cbc6b62989dba84 9180 
libactiveresource-ruby_2.3.5-1.2_all.deb
 6aeb9a71cd2524442f95a9edc59ac5c194afa7e38b881badf28c3479978f293a 36578 
libactiveresource-ruby1.8_2.3.5-1.2_all.deb
Files: 
 e022d06c19ecec9ea0e73b10b2945559 2295 ruby optional rails_2.3.5-1.2.dsc
 079825c02ed3a82dcccc2c50037cbd81 17292 ruby optional 
rails_2.3.5-1.2.debian.tar.gz
 2fa4648928257ecfc37be5a7f96f5825 11638 ruby optional rails_2.3.5-1.2_all.deb
 361c47a5aff04ab6a7b11f8f09e31209 222020 ruby optional 
rails-ruby1.8_2.3.5-1.2_all.deb
 fce39bb91d5d929bbcdcf503ea83db04 886426 doc optional 
rails-doc_2.3.5-1.2_all.deb
 e2f57e93b3041bdd1e77e843c7d5de50 9136 ruby optional 
libactiverecord-ruby_2.3.5-1.2_all.deb
 1115a1d75bbcbf4acc49deca15d48d5a 264566 ruby optional 
libactiverecord-ruby1.8_2.3.5-1.2_all.deb
 951a9f47c4786f20f49ab362e9fb3429 264590 ruby optional 
libactiverecord-ruby1.9.1_2.3.5-1.2_all.deb
 ccbddc54e4df2b04875472e649e321d7 9066 ruby optional 
libactivesupport-ruby_2.3.5-1.2_all.deb
 c0976819ba0864cd7c4d7cc0ce68ef9d 257924 ruby optional 
libactivesupport-ruby1.8_2.3.5-1.2_all.deb
 dd3576266f5c4104924434db7a760eae 257724 ruby optional 
libactivesupport-ruby1.9.1_2.3.5-1.2_all.deb
 61d454f8bc8a7e561798fae82a06d4a5 9202 ruby optional 
libactionpack-ruby_2.3.5-1.2_all.deb
 305fd0935938d8beb9534de0de0f2e60 321974 ruby optional 
libactionpack-ruby1.8_2.3.5-1.2_all.deb
 a1522cfc22f0cb588e5a387f801ba6aa 9182 ruby optional 
libactionmailer-ruby_2.3.5-1.2_all.deb
 80cd01aeb24ad594a17973d1ddb3a828 31422 ruby optional 
libactionmailer-ruby1.8_2.3.5-1.2_all.deb
 73f19adeff7cd71c9feb72337190271b 9180 ruby optional 
libactiveresource-ruby_2.3.5-1.2_all.deb
 1446d7d86763479e3fa9e75e1b89ceaf 36578 ruby optional 
libactiveresource-ruby1.8_2.3.5-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNGO0DAAoJEDO+GgqMLtj/8VsQAKMRhnv6CFq0LZeiJ/Byzdsr
fQFFaMqwm4OLoijjuI/CVyYLGwa7xZ9w1v6ufgE9NDwZj5TzmKnr1Dr6rowZgsKR
gxBHUX38a1JTvLO3MQ0SoJyKRJCVmgZD2pTXvcDYfZ81kuY6agNwXIpTNMgWWzVb
UE+ZqFndt5bk96pfVOpo82xjemXLNlUhG55FQm2RbOZdnZlm+nkUN8x/wAVMgbIO
AhCG30bQ/VsrR43/aFvNIEonLyHbuxWM/w4IXrHpn++yN9SFpbkPFqU21Kwo0cMl
ROnKseGlHfT7lsG6rEa0pSmwR88CrqQSG3PT34OVKdNgiI0YfzSF6yC67gK9GAA+
phn5ItDL+RIOl/CCsbEPN3CxVDh00VVkp1eNt2k/iGopPkABON3cEqVwXIN/IcIS
3RLuqQwyaOT/8ss/Fzk94nreh7q6byAz21PnK77c+kPoMqf+at+VDJSy5yuKeRG3
PvKiuW0s4Xe5ywJPcN2Z03bRvhEC1mnxX068DjTLVegqXsp9S1OEWLVnFla3aw2X
/GnzMRGI3EKIXKzQ0ZNjYbfd+OHrN1ARo6eEflZDdtTj23WAE7ywcMW2SAo/LO5T
7X80NvedtaoR1CsR1cLCA/mdBq75XlXiWKzcXMQrttwaRqraJ1xRWhK/r5ITATXy
e1ZqfvpdI5FXog9ZwA9C
=9SjE
-----END PGP SIGNATURE-----

--- End Message ---

Bug#603048: marked as done (rails: Gives dangerous advice regarding log permissions)

Reply via email to