The patch "logrotate-3.7.1-no-tmpdir.patch", which is part of the ebuild for app-admin/logrotate-3.7.1-r2, gets rid of a subtle mkstemp() security risk by sending the script to execute directly to "/bin/sh -c", therefore completely bypassing the temp file. However, it also breaks an undocumented feature that allows the user to pass the name of the log being rotated to prerotate / postrotate scripts. This is very useful if you have a config like this one: /var/log/http/*/access.log { daily compress rotate 15 prerotate /usr/local/sbin/analyze-apache-log "$1" endscript } The workaround is having a separate config for each log file, but it's more painful to maintain :-( The easiest patch I can think of at this time would be adding this line right before execl("/bin/bash"), in runScript() (logrotate.c:102 with all patches applied): setenv("LOGROTATE_FILE", logfn, 1); (Though the overwrite flag might be better set to 0 in order to prevent breaking things in the remote chance of someone already using that variable!) The patch is evil too because it creates a gentoo-centric feature (unless it's sent upstream too), but at least it preserves the (IMHO) useful functionality.
Changed priority to uber-low
Does this work on 3.7.8?