Logrotate and “insecure permissions”: What can actually go wrong?What is the difference between double and single square brackets in bash?Logrotate and Open FilesApache, logerror and logrotate: what is the best method?Apache, and logrotate instancesHow can I monitor what logrotate is doing?What permissions should my website files/folders have on a Linux webserver?logrotate daily and size?What actually calls logrotate in CentOS 6.3SELinux permissions for LogRotate and ApacheConflicting Logrotate Permissions
Is a lifestealing melee cantrip, in the form of booming blade, unbalanced?
What is a "listed natural gas appliance"?
Airbnb - host wants to reduce rooms, can we get refund?
What algorithms are considered reinforcement learning algorithms?
Upside-Down Pyramid Addition...REVERSED!
Was Unix ever a single-user OS?
How to improve/restore vintage Peugeot bike, or is it even worth it?
Do I really need diodes to receive MIDI?
SQL Server Management Studio SSMS 18.0 General Availability release (GA) install fails
Identifying a transmission to myself
Point of the the Dothraki's attack in GoT S8E3?
How to give very negative feedback gracefully?
To customize a predefined symbol with different colors
Should I replace my bicycle tires if they have not been inflated in multiple years
Besides the up and down quark, what other quarks are present in daily matter around us?
What word means "to make something obsolete"?
Is Jon mad at Ghost for some reason and is that why he won't acknowledge him?
In Avengers 1, why does Thanos need Loki?
What is the unit of the area when geometry attributes are calculated in QGIS?
When and why did journal article titles become descriptive, rather than creatively allusive?
Is there a legal ground for stripping the UK of its UN Veto if Scotland and/or N.Ireland split from the UK?
Is induction neccessary for proving that every injective mapping of a finite set into itself is a mapping onto itself?
Should one double the thirds or the fifth in chords?
Reconstruct a matrix from its traces
Logrotate and “insecure permissions”: What can actually go wrong?
What is the difference between double and single square brackets in bash?Logrotate and Open FilesApache, logerror and logrotate: what is the best method?Apache, and logrotate instancesHow can I monitor what logrotate is doing?What permissions should my website files/folders have on a Linux webserver?logrotate daily and size?What actually calls logrotate in CentOS 6.3SELinux permissions for LogRotate and ApacheConflicting Logrotate Permissions
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Logrotate complained to me this morning that it would not rotate some logs because their parent directory is writeable by someone else than root. The man page states I can make the error message go away by adding the "su" directive which makes logrotate drop root privileges when rotating that specific logfile. So far, so good.
What I wonder is (and the manpage is silent about it), how could a malicious user exploit logrotate if it would not take this precaution? As long as logrotate's configuration can only be altered by root (well, the configuration for logrotate that is triggered by cron and runs as root), an attacker cannot make logrotate touch arbitrary files, and I would assume logrotate does not touch symlinks?
linux logrotate
asked Apr 23 at 7:49
SimonSimon
1337
add a comment |
Logrotate complained to me this morning that it would not rotate some logs because their parent directory is writeable by someone else than root. The man page states I can make the error message go away by adding the "su" directive which makes logrotate drop root privileges when rotating that specific logfile. So far, so good.
What I wonder is (and the manpage is silent about it), how could a malicious user exploit logrotate if it would not take this precaution? As long as logrotate's configuration can only be altered by root (well, the configuration for logrotate that is triggered by cron and runs as root), an attacker cannot make logrotate touch arbitrary files, and I would assume logrotate does not touch symlinks?
linux logrotate
asked Apr 23 at 7:49
SimonSimon
1337
add a comment |
Logrotate complained to me this morning that it would not rotate some logs because their parent directory is writeable by someone else than root. The man page states I can make the error message go away by adding the "su" directive which makes logrotate drop root privileges when rotating that specific logfile. So far, so good.
What I wonder is (and the manpage is silent about it), how could a malicious user exploit logrotate if it would not take this precaution? As long as logrotate's configuration can only be altered by root (well, the configuration for logrotate that is triggered by cron and runs as root), an attacker cannot make logrotate touch arbitrary files, and I would assume logrotate does not touch symlinks?
linux logrotate
asked Apr 23 at 7:49
SimonSimon
1337
Logrotate complained to me this morning that it would not rotate some logs because their parent directory is writeable by someone else than root. The man page states I can make the error message go away by adding the "su" directive which makes logrotate drop root privileges when rotating that specific logfile. So far, so good.
What I wonder is (and the manpage is silent about it), how could a malicious user exploit logrotate if it would not take this precaution? As long as logrotate's configuration can only be altered by root (well, the configuration for logrotate that is triggered by cron and runs as root), an attacker cannot make logrotate touch arbitrary files, and I would assume logrotate does not touch symlinks?
linux logrotate
linux logrotate
asked Apr 23 at 7:49
SimonSimon
1337
asked Apr 23 at 7:49
SimonSimon
1337
asked Apr 23 at 7:49
SimonSimon
1337
asked Apr 23 at 7:49
SimonSimon
1337
asked Apr 23 at 7:49
SimonSimon
1337
1337
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964165%2flogrotate-and-insecure-permissions-what-can-actually-go-wrong%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964165%2flogrotate-and-insecure-permissions-what-can-actually-go-wrong%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
