oss-security - Re: CVE Request -- logrotate -- nine issues

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 7 Mar 2011 12:54:19 +0000
From: Paul Martin <pm@...ian.org>
To: Jan Kaluža <jkaluza@...hat.com>
Cc: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Stefan Fritsch <sf@...itsch.de>, Florian Zumbiehl <florz@...rz.de>,
	Petr Uzel <petr.uzel@...e.cz>, Thomas Biege <thomas@...e.de>
Subject: Re: CVE Request -- logrotate -- nine issues

On Mon, Mar 07, 2011 at 01:21:05PM +0100, Jan Kaluža wrote:

> I think logrotate should skip rotation of files in unsafe
> directories and show error message instead. Logrotate should also
> contain something like "--force" switch (this name is already used,
> so we have to find better one, but I don't have anything better in
> mind just now). With this switch logrotate should *not* skip unsafe
> directories and rotate them as it currently does, but show the error
> message. Basically it allows backward compatibility.

"--override-unsafe-directory-check" perhaps?  Make it a long option,
so that there is no doubt that the user is doing something that's
potentially dangerous.

(I am following this discussion with great interest.)

-- 
Paul Martin <pm@...ian.org>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.