tsm 6.2.2.0-r1 and logrotate-3.8.0 don't like one another: error: skipping "/var/log/tsm/dsmerror.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. Same message for dsmj.log, dsmsched.log and dsmwebcl.log. I guess the correct fix would be: 1. Add the following line to ${FILESDIR}/tsm.logrotate: su root tsm 2. Revbump the package in order to trigger updates I must confess, though, that I don't fully understand why this is a security issue at all. An alternative one might consider dropping this line from the ebuild: fowners :tsm /var/log/tsm Not sure about the pros and cons of each approach.
I'm not sure it is a security issue, but upstream thought it was enough of one to necessitate this change. The relevant bug for Gentoo is https://bugs.gentoo.org/show_bug.cgi?id=372973 Either of those solutions would work, assuming the logs in /var/log/tsm can, in fact, be written without group ownership. Otherwise the su line is necessary.
Thanks, the pointer to bug #372973 clarifies the security implications and possible attack scenario. Not sure what you mean by "assuming the logs can be written without group ownership". The log FILES have to be writable by the group, but I was considering having the DIRECTORY not writable by said group. In my opinion, the dir could be owned by root:root. That way, users in the tsm group could still write to the existing files (both the ebuild and logrotate they exist with proper permissions), but could not create any new files or, more importantly, symlinks. Downside of the change to dir ownership is that you'd have to adjust the list of existing logs if IBM decides to add new log files in a future version. And due to bug #141619 we'd have to adjust existing permissions in pkg_postinst or similar, as a simple removal of the fowners line won't affect updates. For these two reasons, the "su" solution would be easier than the "directory group root" solution. But in the way stated above, it would be a security problem, as the log swapping would still be executed as root, albeit with a different gid. To be safe, the line should not only set the group to "tsm" but the user to something that doesn't harm the system. I guess the rotated logfiles as well as the newly created ones would be owned by that user, though, so the result would look somewhat ugly in the log dir listing unless we introduce a tsm user for just this single reason.
+*tsm-6.3.0.5 (14 May 2012) +*tsm-6.3.0.0 (14 May 2012) + + 14 May 2012; Pacho Ramos <pacho@gentoo.org> +tsm-6.3.0.0.ebuild, + +tsm-6.3.0.5.ebuild, files/dsmc.conf.d, files/dsmc.init.d, + files/dsmcad.init.d, files/tsm.logrotate, metadata.xml, tsm-6.2.2.0-r1.ebuild: + Version bump (#390581) that also fixes logrotate config file (#375041), thanks + a lot to Martin von Gagern that also becomes maintainer with me as proxy. +
