55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From addbd293242b0b78aa54f054e6c1d249451f137d Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Wed, 25 May 2022 09:55:02 +0200
|
|
Subject: [PATCH] drop world-readable permission on state file
|
|
|
|
... even when ACLs are enabled. This is a follow-up to the fix
|
|
of CVE-2022-1348. It has no impact on security but makes the state
|
|
file locking work again in more cases.
|
|
|
|
Closes: https://github.com/logrotate/logrotate/pull/446
|
|
---
|
|
logrotate.c | 10 +++++++---
|
|
test/test-0048.sh | 1 +
|
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
Index: logrotate-3.18.1/logrotate.c
|
|
===================================================================
|
|
--- logrotate-3.18.1.orig/logrotate.c
|
|
+++ logrotate-3.18.1/logrotate.c
|
|
@@ -2514,6 +2514,7 @@ static int writeState(const char *stateF
|
|
struct tm now;
|
|
time_t now_time, last_time;
|
|
char *prevCtx;
|
|
+ int force_mode = 0;
|
|
|
|
localtime_r(&nowSecs, &now);
|
|
|
|
@@ -2582,9 +2583,13 @@ static int writeState(const char *stateF
|
|
close(fdcurr);
|
|
|
|
/* drop world-readable flag to prevent others from locking */
|
|
- sb.st_mode &= ~(mode_t)S_IROTH;
|
|
+ if (sb.st_mode & (mode_t)S_IROTH) {
|
|
+ /* drop world-readable flag to prevent others from locking */
|
|
+ sb.st_mode &= ~(mode_t)S_IROTH;
|
|
+ force_mode = 1;
|
|
+ }
|
|
|
|
- fdsave = createOutputFile(tmpFilename, O_RDWR | O_CREAT | O_TRUNC, &sb, prev_acl, 0);
|
|
+ fdsave = createOutputFile(tmpFilename, O_RDWR | O_CREAT | O_TRUNC, &sb, prev_acl, force_mode);
|
|
#ifdef WITH_ACL
|
|
if (prev_acl) {
|
|
acl_free(prev_acl);
|
|
Index: logrotate-3.18.1/test/test-0048.sh
|
|
===================================================================
|
|
--- logrotate-3.18.1.orig/test/test-0048.sh
|
|
+++ logrotate-3.18.1/test/test-0048.sh
|
|
@@ -18,6 +18,7 @@ cat > state << EOF
|
|
logrotate state -- version 2
|
|
EOF
|
|
|
|
+chmod 0640 state
|
|
setfacl -m u:nobody:rwx state
|
|
|
|
$RLR test-config.48
|