The logrotate file installed by the munin package contains the copytruncate option for /var/log/munin/munin-node.log. This is unnecessary, as the postrotate command makes sure munin-node gets restarted after rotating the config. This has a security-relevant sideeffect. The logrotate file also contains "create 640 root root", which would seem like the logfiles are created with pretty secure permissions (and may make an admin believe so). However copytruncate overrides this and the logfile ends up being world readable. Therefore please remove the copytruncate setting.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3329ffa99c4506cf3bf67152d2171b996c4bc19 commit e3329ffa99c4506cf3bf67152d2171b996c4bc19 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-07-31 00:41:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-07-31 00:42:17 +0000 net-analyzer/munin: fix logrotate file (drop copytruncate) hanno@ reported a potential security issue caused by copytruncate, which we can avoid using because of the postrotate option. Closes: https://bugs.gentoo.org/748948 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/munin/files/logrotate.d-munin.3 | 1 - net-analyzer/munin/{munin-2.0.66-r1.ebuild => munin-2.0.66-r2.ebuild} | 0 net-analyzer/munin/{munin-2.0.67-r2.ebuild => munin-2.0.67-r4.ebuild} | 0 net-analyzer/munin/{munin-2.0.67-r3.ebuild => munin-2.0.67-r5.ebuild} | 0 4 files changed, 1 deletion(-)
