| Summary: | app-admin/logrotate-3.7.1-r2 - logrotate-3.7.1-no-tmpdir.patch breaks functionality | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Benjamin Charron <bcharron> |
| Component: | New packages | Assignee: | Daniel Gryniewicz (RETIRED) <dang> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | minor | ||
| Priority: | Lowest | ||
| Version: | 2006.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Changed priority to uber-low Does this work on 3.7.8? |
The patch "logrotate-3.7.1-no-tmpdir.patch", which is part of the ebuild for app-admin/logrotate-3.7.1-r2, gets rid of a subtle mkstemp() security risk by sending the script to execute directly to "/bin/sh -c", therefore completely bypassing the temp file. However, it also breaks an undocumented feature that allows the user to pass the name of the log being rotated to prerotate / postrotate scripts. This is very useful if you have a config like this one: /var/log/http/*/access.log { daily compress rotate 15 prerotate /usr/local/sbin/analyze-apache-log "$1" endscript } The workaround is having a separate config for each log file, but it's more painful to maintain :-( The easiest patch I can think of at this time would be adding this line right before execl("/bin/bash"), in runScript() (logrotate.c:102 with all patches applied): setenv("LOGROTATE_FILE", logfn, 1); (Though the overwrite flag might be better set to 0 in order to prevent breaking things in the remote chance of someone already using that variable!) The patch is evil too because it creates a gentoo-centric feature (unless it's sent upstream too), but at least it preserves the (IMHO) useful functionality.