FreeBSD Bugzilla – Attachment 90145 Details for
Bug 127255
[PATCH,SECURITY] security/logcheck: fix security concern about instruction in pkg-message
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
patch-logcheck
patch-logcheck (text/plain), 6.97 KB, created by
Yasuhiro Kimura
on 2008-09-09 21:20:02 UTC
(
hide
)
Description:
patch-logcheck
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2008-09-09 21:20:02 UTC
Size:
6.97 KB
patch
obsolete
>Index: Makefile >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/Makefile,v >retrieving revision 1.22 >diff -u -r1.22 Makefile >--- Makefile 8 Sep 2008 20:09:59 -0000 1.22 >+++ Makefile 9 Sep 2008 18:53:48 -0000 >@@ -7,10 +7,10 @@ > > PORTNAME= logcheck > PORTVERSION= 1.2.54 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= security >-MASTER_SITES= ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \ >- http://ftp.de.debian.org/debian/pool/main/l/logcheck/ >+MASTER_SITES= ${MASTER_SITE_DEBIAN} >+MASTER_SITE_SUBDIR= pool/main/l/logcheck > DISTNAME= ${PORTNAME}_${PORTVERSION} > > MAINTAINER= glarkin@FreeBSD.org >@@ -18,8 +18,8 @@ > > BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man > RUN_DEPENDS= lockfile:${PORTSDIR}/mail/procmail \ >- bash:${PORTSDIR}/shells/bash \ >- perl:${PORTSDIR}/lang/perl5 >+ bash:${PORTSDIR}/shells/bash >+USE_PERL5= yes > > WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} > BINMODE= 755 >@@ -33,6 +33,9 @@ > > LOGCHECK_USER= logcheck > LOGCHECK_GROUP= ${LOGCHECK_USER} >+LOGCHECK_UID= 915 >+LOGCHECK_GID= 915 >+SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} LOGCHECK_GROUP=${LOGCHECK_GROUP} LOGCHECK_UID=${LOGCHECK_UID} LOGCHECK_GID=${LOGCHECK_GID} > > do-build: > ${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ >@@ -46,11 +49,13 @@ > ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin > ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin > @PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL >- @${INSTALL} -d /var/lib/logcheck >+ @${INSTALL} -d /var/db/logcheck > @${INSTALL} -d /var/run/logcheck >- ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck >+ ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck > @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ >- /var/lib/logcheck' >> ${TMPPLIST} >+ /var/db/logcheck' >> ${TMPPLIST} >+ ${CHMOD} 700 /var/db/logcheck >+ @${ECHO_CMD} '@exec ${CHMOD} 700 /var/db/logcheck' >> ${TMPPLIST} > ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck > @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ > /var/run/logcheck' >> ${TMPPLIST} >Index: pkg-plist >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/pkg-plist,v >retrieving revision 1.10 >diff -u -r1.10 pkg-plist >--- pkg-plist 8 Sep 2008 20:09:59 -0000 1.10 >+++ pkg-plist 9 Sep 2008 18:30:10 -0000 >@@ -182,7 +182,7 @@ > @dirrm %%ETCDIR%%/ignore.d.paranoid > @dirrm %%ETCDIR%%/cracking.d > @dirrm %%ETCDIR%% >-@exec mkdir -p /var/lib/logcheck >-@unexec rm -rf /var/lib/logcheck 2> /dev/null || true >+@exec mkdir -p /var/db/logcheck >+@dirrmtry /var/db/logcheck > @exec mkdir -p /var/run/logcheck >-@unexec rm -rf /var/run/logcheck 2> /dev/null || true >+@dirrmtry /var/run/logcheck >Index: files/patch-src__logcheck >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/patch-src__logcheck,v >retrieving revision 1.1 >diff -u -r1.1 patch-src__logcheck >--- files/patch-src__logcheck 7 Sep 2008 01:31:56 -0000 1.1 >+++ files/patch-src__logcheck 9 Sep 2008 18:40:54 -0000 >@@ -1,5 +1,5 @@ >---- ./src/logcheck.orig 2007-01-16 01:13:27.000000000 -0500 >-+++ ./src/logcheck 2008-09-06 19:11:28.000000000 -0400 >+--- src/logcheck.orig 2007-01-16 15:13:27.000000000 +0900 >++++ src/logcheck 2008-09-10 03:39:45.000000000 +0900 > @@ -1,4 +1,4 @@ > -#!/bin/bash > +#!/usr/local/bin/bash >@@ -32,19 +32,20 @@ > # Set the default paths > -RULEDIR="/etc/logcheck" > -CONFFILE="/etc/logcheck/logcheck.conf" >-+RULEDIR="/usr/local/etc/logcheck" >-+CONFFILE="/usr/local/etc/logcheck/logcheck.conf" >- STATEDIR="/var/lib/logcheck" >+-STATEDIR="/var/lib/logcheck" > -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" > -LOGFILE_FALLBACK="/var/log/syslog" > -LOGTAIL="/usr/sbin/logtail" >++RULEDIR="/usr/local/etc/logcheck" >++CONFFILE="/usr/local/etc/logcheck/logcheck.conf" >++STATEDIR="/var/db/logcheck" > +LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles" > +LOGFILE_FALLBACK="/var/log/messages" > +LOGTAIL="/usr/local/sbin/logtail" > CAT="/bin/cat" > SYSLOG_SUMMARY="/usr/bin/syslog-summary" > >-@@ -87,20 +80,15 @@ >+@@ -87,26 +80,21 @@ > SORTUNIQ=0 > SUPPORT_CRACKING_IGNORE=0 > SYSLOGSUMMARY=0 >@@ -69,6 +70,13 @@ > fi > > if [ -d $TMPDIR ]; then >+ # Remove the tmp directory >+ if [ $NOCLEANUP -eq 0 ];then >+- cd /var/lib/logcheck >++ cd /var/db/logcheck >+ debug "cleanup: Removing - $TMPDIR" >+ rm -r $TMPDIR >+ else > @@ -142,14 +130,9 @@ > if [ "$2" = "noclean" ]; then > debug "error: Not removing lockfile" >Index: files/pkg-deinstall.in >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-deinstall.in,v >retrieving revision 1.1 >diff -u -r1.1 pkg-deinstall.in >--- files/pkg-deinstall.in 7 Sep 2008 01:31:56 -0000 1.1 >+++ files/pkg-deinstall.in 9 Sep 2008 18:04:41 -0000 >@@ -1,7 +1,7 @@ > #!/bin/sh > >-user="logcheck" >-group="logcheck" >+user="%%LOGCHECK_USER%%" >+group="%%LOGCHECK_GROUP%%" > configfiles="logcheck.conf logcheck.logfiles" > > case $2 in >Index: files/pkg-install.in >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-install.in,v >retrieving revision 1.1 >diff -u -r1.1 pkg-install.in >--- files/pkg-install.in 7 Sep 2008 01:31:56 -0000 1.1 >+++ files/pkg-install.in 9 Sep 2008 18:30:32 -0000 >@@ -1,9 +1,11 @@ > #!/bin/sh > >-user="logcheck" >-group="logcheck" >+user="%%LOGCHECK_USER%%" >+uid="%%LOGCHECK_UID%%" >+group="%%LOGCHECK_GROUP%%" >+gid="%%LOGCHECK_GID%%" > descr="Logcheck system account" >-homedir="/var/lib/logcheck" >+homedir="/var/db/logcheck" > shell="/usr/bin/false" > configfiles="logcheck.conf logcheck.logfiles" > >@@ -12,13 +14,13 @@ > if pw group show ${group} > /dev/null 2>&1; then > echo "---> You already have a group \"${group}\", so I will use it." > else >- pw group add "${group}" >+ pw group add "${group}" -g $gid > echo "---> Created group \"${group}\"." > fi > if pw user show ${user} > /dev/null 2>&1; then > echo "---> You already have a user \"${user}\", so I will use it." > else >- pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel >+ pw user add -n logcheck -u $uid -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck > echo "---> Created user \"${user}\"." > fi > ;; >Index: files/pkg-message.in >=================================================================== >RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-message.in,v >retrieving revision 1.1 >diff -u -r1.1 pkg-message.in >--- files/pkg-message.in 7 Sep 2008 01:31:56 -0000 1.1 >+++ files/pkg-message.in 9 Sep 2008 18:09:14 -0000 >@@ -3,7 +3,7 @@ > > %%PREFIX%%/etc/logcheck/logcheck.logfiles > >-are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove >+are readable to '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf), or remove > them from the aforementioned logcheck configuration file. > > For information on how to write local rulesets see
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=90145">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 127255
: 90145