From d06a0ed2635bbde9dcc3cb659576ba9f8b12b76f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:22:13 +0000 Subject: import logrotate-3.8.6-14.el7 --- diff --git a/SOURCES/logrotate-3.8.6-createolddir.patch b/SOURCES/logrotate-3.8.6-createolddir.patch new file mode 100644 index 0000000..d82b24f --- /dev/null +++ b/SOURCES/logrotate-3.8.6-createolddir.patch @@ -0,0 +1,88 @@ +From 562a8089369f78cd9a07b41c44a149abf72b02a8 Mon Sep 17 00:00:00 2001 +From: Bertrand Jacquin +Date: Mon, 19 Sep 2016 02:25:33 +0100 +Subject: [PATCH 1/2] config.c: drop comparison of uid/gid with undetermined + values + +... loaded from uninitialized stat buffer on the stack of do_mkdir() + +If a directory is created (ie createolddir), struct sb must be updated +in order to get appropriate st_uid and st_gid. Test made later to known +if chown() should be performed is inadequate since sb is never updated. + +As per discussion in https://github.com/logrotate/logrotate/pull/59, +removing the comparison to unsure newly created directory always get +owner and group changed. + +Before: + ./logrotate -f /etc/logrotate.conf + uid: 250, sb.st_uid: 250 + gid: 250, sb.st_gid: 250 + +After: + ./logrotate -f /etc/logrotate.conf + uid: 250, sb.st_uid: 0 + gid: 250, sb.st_gid: 250 + +Closes #59 + +Upstream-commit: ae040a55d3a8f2bbce7860415b4ee479a024a334 +Signed-off-by: Kamil Dudka +--- + config.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/config.c b/config.c +index 493f3f7..e692ac9 100644 +--- a/config.c ++++ b/config.c +@@ -313,8 +313,7 @@ static int do_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid) { + path, strerror(errno)); + return -1; + } +- if ((uid != sb.st_uid || gid != sb.st_gid) && +- chown(path, uid, gid)) { ++ if (chown(path, uid, gid) != 0) { + message(MESS_ERROR, "error setting owner of %s to uid %d and gid %d: %s\n", + path, uid, gid, strerror(errno)); + return -1; +-- +2.7.4 + + +From d6962e20c9043152b63df6c1ca1de14161caa725 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 20 Sep 2016 18:56:24 +0200 +Subject: [PATCH 2/2] config.c: make 'createolddir' preserve sticky bit + +After calling chown() to set uid/gid on the created directory, re-apply +permission bits once again by chmod() because the sticky bit might have +been cleared by chown(). + +Upstream-commit: 3c76f48efa0d9d448528af3e40f757654458978c +Signed-off-by: Kamil Dudka +--- + config.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/config.c b/config.c +index e692ac9..64bb935 100644 +--- a/config.c ++++ b/config.c +@@ -318,7 +318,12 @@ static int do_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid) { + path, uid, gid, strerror(errno)); + return -1; + } +- } ++ if (chmod(path, mode) != 0) { ++ message(MESS_ERROR, "error setting permissions of %s to 0%o: %s\n", ++ path, mode, strerror(errno)); ++ return -1; ++ } ++ } + else if (!S_ISDIR(sb.st_mode)) { + message(MESS_ERROR, "path %s already exists, but it is not a directory\n", + path); +-- +2.7.4 + diff --git a/SOURCES/logrotate-3.8.6-longdate-crash.patch b/SOURCES/logrotate-3.8.6-longdate-crash.patch new file mode 100644 index 0000000..c49d183 --- /dev/null +++ b/SOURCES/logrotate-3.8.6-longdate-crash.patch @@ -0,0 +1,30 @@ +From 1e927a16dcfb3db05b12c4059bcb8f98928baafa Mon Sep 17 00:00:00 2001 +From: jkaluza +Date: Mon, 16 Feb 2015 07:42:18 +0000 +Subject: [PATCH] Fix crash when using long dateformat [nmerdan] + +Upstream-commit: 768b23c0bd94f973abf108f6e2cf4138c426f140 +Signed-off-by: Kamil Dudka +--- + logrotate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/logrotate.c b/logrotate.c +index 82f561a..2abac3d 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -1233,9 +1233,10 @@ int prerotateSingleLog(struct logInfo *log, int logNum, struct logState *state, + } + } + ++ /* adding 2 due to / and \0 being added by snprintf */ + rotNames->firstRotated = + malloc(strlen(rotNames->dirName) + strlen(rotNames->baseName) + +- strlen(fileext) + strlen(compext) + 30); ++ strlen(fileext) + strlen(compext) + DATEEXT_LEN + 2 ); + + if (log->flags & LOG_FLAG_DATEEXT) { + /* glob for compressed files with our pattern +-- +2.7.4 + diff --git a/SOURCES/logrotate-3.8.6-olddir-missingok.patch b/SOURCES/logrotate-3.8.6-olddir-missingok.patch new file mode 100644 index 0000000..99196ac --- /dev/null +++ b/SOURCES/logrotate-3.8.6-olddir-missingok.patch @@ -0,0 +1,99 @@ +From 1787a97828b512b4b15e618a26d0e508ec7a253b Mon Sep 17 00:00:00 2001 +From: Jan Kaluza +Date: Tue, 26 Jan 2016 12:43:21 +0100 +Subject: [PATCH] Fix 'olddir' usage with wildcard in the middle of path in the + pattern definition when the pattern did not match any log file. + +Upstream-commit: 73493ec38c5e806fa66d8c3f13259775da6282d9 +Signed-off-by: Kamil Dudka +--- + config.c | 24 ++++++++++++++++++------ + test/test | 21 +++++++++++++++++++++ + test/test-config.69.in | 10 ++++++++++ + 3 files changed, 49 insertions(+), 6 deletions(-) + create mode 100644 test/test-config.69.in + +diff --git a/config.c b/config.c +index 926d388..493f3f7 100644 +--- a/config.c ++++ b/config.c +@@ -1454,12 +1454,24 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig) + int rv; + dirName = ourDirName(newlog->files[i]); + if (stat(dirName, &sb2)) { +- message(MESS_ERROR, +- "%s:%d error verifying log file " +- "path %s: %s\n", configFile, lineNum, +- dirName, strerror(errno)); +- free(dirName); +- goto error; ++ if (!(newlog->flags & LOG_FLAG_MISSINGOK)) { ++ message(MESS_ERROR, ++ "%s:%d error verifying log file " ++ "path %s: %s\n", configFile, lineNum, ++ dirName, strerror(errno)); ++ free(dirName); ++ goto error; ++ } ++ else { ++ message(MESS_DEBUG, ++ "%s:%d verifying log file " ++ "path failed %s: %s, log is probably missing, " ++ "but missingok is set, so this is not an error.\n", ++ configFile, lineNum, ++ dirName, strerror(errno)); ++ free(dirName); ++ continue; ++ } + } + ld = alloca(strlen(dirName) + strlen(newlog->oldDir) + 2); + sprintf(ld, "%s/%s", dirName, newlog->oldDir); +diff --git a/test/test b/test/test +index 9d7618f..54d57d2 100755 +--- a/test/test ++++ b/test/test +@@ -1566,4 +1566,25 @@ test.log 0 + test.log.$DATESTRING 0 zero + EOF + ++cleanup 69 ++ ++# ------------------------------- Test 69 ------------------------------------ ++# Test olddir with wildcard in the pattern ++preptest test.log 69 1 0 ++rm -rf testdir adir bdir ++mkdir adir ++mkdir bdir ++cp test.log adir ++cp test.log bdir ++$RLR test-config.69 --force -v ++ ++checkoutput < +Date: Tue, 11 Oct 2016 18:41:56 +0200 +Subject: [PATCH 1/2] copyTruncate: factor out handling of SELinux context + +... to separate functions + +Closes #72 + +Upstream-commit: c5bff8adcece162746c68834fa1526dd45ca7bd0 +Signed-off-by: Kamil Dudka +--- + logrotate.c | 117 ++++++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 74 insertions(+), 43 deletions(-) + +diff --git a/logrotate.c b/logrotate.c +index 2abac3d..6270995 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -251,6 +251,72 @@ static unsigned hashIndex(const char *fn) + return hash % hashSize; + } + ++static int setSecCtx(int fdSrc, const char *src, void **pPrevCtx) ++{ ++#ifdef WITH_SELINUX ++ security_context_t srcCtx; ++ *pPrevCtx = NULL; ++ ++ if (!selinux_enabled) ++ /* pretend success */ ++ return 0; ++ ++ /* read security context of fdSrc */ ++ if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) { ++ if (errno == ENOTSUP) ++ /* pretend success */ ++ return 0; ++ ++ message(MESS_ERROR, "getting file context %s: %s\n", src, ++ strerror(errno)); ++ return selinux_enforce; ++ } ++ ++ /* save default security context for restoreSecCtx() */ ++ if (getfscreatecon_raw((security_context_t *)pPrevCtx) < 0) { ++ message(MESS_ERROR, "getting default context: %s\n", strerror(errno)); ++ return selinux_enforce; ++ } ++ ++ /* set default security context to match fdSrc */ ++ if (setfscreatecon_raw(srcCtx) < 0) { ++ message(MESS_ERROR, "setting default context to %s: %s\n", srcCtx, ++ strerror(errno)); ++ freecon(srcCtx); ++ return selinux_enforce; ++ } ++ ++ message(MESS_DEBUG, "set default create context to %s\n", srcCtx); ++ freecon(srcCtx); ++#else ++ (void) fdSrc; ++ (void) src; ++ (void) pPrevCtx; ++#endif ++ return 0; ++} ++ ++static void restoreSecCtx(void **pPrevCtx) ++{ ++#ifdef WITH_SELINUX ++ const security_context_t prevCtx = (security_context_t) *pPrevCtx; ++ if (!prevCtx) ++ /* no security context saved for restoration */ ++ return; ++ ++ /* set default security context to the previously stored one */ ++ if (selinux_enabled && setfscreatecon_raw(prevCtx) < 0) ++ message(MESS_ERROR, "setting default context to %s: %s\n", prevCtx, ++ strerror(errno)); ++ ++ /* free the memory allocated to save the security context */ ++ freecon(prevCtx); ++ *pPrevCtx = NULL; ++#else ++ (void) pPrevCtx; ++#endif ++} ++ + static struct logState *newState(const char *fn) + { + struct tm now = *localtime(&nowSecs); +@@ -679,6 +745,7 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb, + { + char buf[BUFSIZ]; + int fdcurr = -1, fdsave = -1; ++ void *prevCtx; + ssize_t cnt; + + message(MESS_DEBUG, "copying %s to %s\n", currLog, saveLog); +@@ -689,48 +756,18 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb, + strerror(errno)); + return 1; + } +-#ifdef WITH_SELINUX +- if (selinux_enabled) { +- security_context_t oldContext; +- if (fgetfilecon_raw(fdcurr, &oldContext) >= 0) { +- if (getfscreatecon_raw(&prev_context) < 0) { +- message(MESS_ERROR, +- "getting default context: %s\n", +- strerror(errno)); +- if (selinux_enforce) { +- freecon(oldContext); +- close(fdcurr); +- return 1; +- } +- } +- if (setfscreatecon_raw(oldContext) < 0) { +- message(MESS_ERROR, +- "setting file context %s to %s: %s\n", +- saveLog, oldContext, strerror(errno)); +- if (selinux_enforce) { +- freecon(oldContext); +- close(fdcurr); +- return 1; +- } +- } +- message(MESS_DEBUG, "set default create context\n"); +- freecon(oldContext); +- } else { +- if (errno != ENOTSUP) { +- message(MESS_ERROR, "getting file context %s: %s\n", +- currLog, strerror(errno)); +- if (selinux_enforce) { +- return 1; +- } +- } +- } ++ ++ if (setSecCtx(fdcurr, currLog, &prevCtx) != 0) { ++ /* error msg already printed */ ++ close(fdcurr); ++ return 1; + } +-#endif + #ifdef WITH_ACL + if ((prev_acl = acl_get_fd(fdcurr)) == NULL) { + if (!ACL_NOT_WELL_SUPPORTED(errno)) { + message(MESS_ERROR, "getting file ACL %s: %s\n", + currLog, strerror(errno)); ++ restoreSecCtx(&prevCtx); + close(fdcurr); + return 1; + } +@@ -738,13 +775,7 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb, + #endif /* WITH_ACL */ + fdsave = + createOutputFile(saveLog, O_WRONLY | O_CREAT, sb, prev_acl, 0); +-#ifdef WITH_SELINUX +- if (selinux_enabled) { +- setfscreatecon_raw(prev_context); +- freecon(prev_context); +- prev_context = NULL; +- } +-#endif ++ restoreSecCtx(&prevCtx); + #ifdef WITH_ACL + if (prev_acl) { + acl_free(prev_acl); +-- +2.7.4 + + +From 0ed7a45533a3d9d2237c742a2de03faba1b2e35f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 11 Oct 2016 18:53:18 +0200 +Subject: [PATCH 2/2] compressLogFile: explicitly preserve SELinux context + +If we use options 'compress' and 'sharedscripts' together, the rotated +(and compressed) log files may end up with a wrong security context in +case multiple files with different security contexts are rotated in a +row. + +Closes #72 + +Upstream-commit: 57458d5424eebf0c7912eefe955e4d7b0f49fd15 +Signed-off-by: Kamil Dudka +--- + logrotate.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/logrotate.c b/logrotate.c +index 6270995..20f6ea5 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -558,6 +558,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb) + int outFile; + int i; + int status; ++ void *prevCtx; + + message(MESS_DEBUG, "compressing log with: %s\n", log->compress_prog); + if (debug) +@@ -578,11 +579,18 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb) + return 1; + } + ++ if (setSecCtx(inFile, name, &prevCtx) != 0) { ++ /* error msg already printed */ ++ close(inFile); ++ return 1; ++ } ++ + #ifdef WITH_ACL + if ((prev_acl = acl_get_fd(inFile)) == NULL) { + if (!ACL_NOT_WELL_SUPPORTED(errno)) { + message(MESS_ERROR, "getting file ACL %s: %s\n", + name, strerror(errno)); ++ restoreSecCtx(&prevCtx); + close(inFile); + return 1; + } +@@ -591,6 +599,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb) + + outFile = + createOutputFile(compressedName, O_RDWR | O_CREAT, sb, prev_acl, 0); ++ restoreSecCtx(&prevCtx); + #ifdef WITH_ACL + if (prev_acl) { + acl_free(prev_acl); +-- +2.7.4 + diff --git a/SOURCES/logrotate-3.8.6-statusfile.patch b/SOURCES/logrotate-3.8.6-statusfile.patch index 1610173..b2076cf 100644 --- a/SOURCES/logrotate-3.8.6-statusfile.patch +++ b/SOURCES/logrotate-3.8.6-statusfile.patch @@ -1,3 +1,26 @@ +From 42c95eacd3eb37f7846967295908fc4a9db81713 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 24 Jan 2017 18:26:32 +0100 +Subject: [PATCH] Resolves: #1381719 - make /var/lib/logrotate/logrotate.status + the default state file + +--- + config.h | 2 +- + examples/logrotate.cron | 2 +- + logrotate.8 | 5 +++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/config.h b/config.h +index d715c5a..31f21aa 100644 +--- a/config.h ++++ b/config.h +@@ -43,5 +43,5 @@ + #endif + + #ifndef STATEFILE +-#define STATEFILE "/var/lib/logrotate.status" ++#define STATEFILE "/var/lib/logrotate/logrotate.status" + #endif diff --git a/examples/logrotate.cron b/examples/logrotate.cron index c6d50d4..967932e 100644 --- a/examples/logrotate.cron @@ -10,3 +33,29 @@ index c6d50d4..967932e 100644 EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" +diff --git a/logrotate.8 b/logrotate.8 +index 2cd2370..756e655 100644 +--- a/logrotate.8 ++++ b/logrotate.8 +@@ -59,7 +59,8 @@ and mail it to the recipient. The default mail command is \fB/bin/mail + \fB\-s\fR, \fB\-\-state \fR + Tells \fBlogrotate\fR to use an alternate state file. This is useful + if logrotate is being run as a different user for various sets of +-log files. The default state file is \fI/var/lib/logrotate.status\fR. ++log files. The default state file is ++\fI/var/lib/logrotate/logrotate.status\fR. + + .TP + \fB\-\-usage\fR +@@ -538,7 +539,7 @@ Log files are rotated if the current year is not the same as the last rotation. + .SH FILES + .PD 0 + .TP 27 +-\fI/var/lib/logrotate.status\fR ++\fI/var/lib/logrotate/logrotate.status\fR + Default state file. + .TP 27 + \fI/etc/logrotate.conf\fR +-- +2.7.4 + diff --git a/SOURCES/logrotate-3.8.6-su-username.patch b/SOURCES/logrotate-3.8.6-su-username.patch new file mode 100644 index 0000000..a125e58 --- /dev/null +++ b/SOURCES/logrotate-3.8.6-su-username.patch @@ -0,0 +1,36 @@ +From a2cbd1f7bf100d11c56b72952b782a37d4a3e9de Mon Sep 17 00:00:00 2001 +From: Ewald van Geffen +Date: Fri, 12 Aug 2016 17:41:53 +0200 +Subject: [PATCH] config.c: fix parsing of 'su' directive + +... to accept usernames starting with numeric symbols + +Closes #53 + +Upstream-commit: 6c0dfc4a3d3b0535a4848d4ccb92631016a20a2d +Signed-off-by: Kamil Dudka +--- + config.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/config.c b/config.c +index 64bb935..5e7951e 100644 +--- a/config.c ++++ b/config.c +@@ -230,7 +230,12 @@ static int readModeUidGid(const char *configFile, int lineNum, char *key, + struct group *group; + struct passwd *pw = NULL; + +- rc = sscanf(key, "%o %199s %199s%c", &m, u, g, &tmp); ++ if (!strcmp("su", directive)) ++ /* do not read for the 'su' directive */ ++ rc = 0; ++ else ++ rc = sscanf(key, "%o %199s %199s%c", &m, u, g, &tmp); ++ + /* We support 'key notation now */ + if (rc == 0) { + rc = sscanf(key, "%199s %199s%c", u, g, &tmp); +-- +2.7.4 + diff --git a/SPECS/logrotate.spec b/SPECS/logrotate.spec index 15d0e93..c66cf89 100644 --- a/SPECS/logrotate.spec +++ b/SPECS/logrotate.spec @@ -1,7 +1,7 @@ Summary: Rotates, compresses, removes and mails system log files Name: logrotate Version: 3.8.6 -Release: 12%{?dist} +Release: 14%{?dist} License: GPL+ Group: System Environment/Base Url: https://fedorahosted.org/logrotate/ @@ -14,11 +14,28 @@ Patch3: logrotate-3.8.6-r460.patch Patch4: logrotate-3.8.6-compress-subject.patch Patch5: logrotate-3.8.6-olddircopy.patch Patch6: logrotate-3.8.6-state-clean.patch + +# fix #1381719 - make /var/lib/logrotate/logrotate.status the default state file Patch7: logrotate-3.8.6-statusfile.patch # fix #1192936 - provide diagnostic in case log does not need rotating Patch9: logrotate-3.8.6-diagnostic.patch +# fix #1375638 - make olddir respect the missingok flag +Patch10: logrotate-3.8.6-olddir-missingok.patch + +# fix #1369438 - heap buffer overflow when using long date format +Patch11: logrotate-3.8.6-longdate-crash.patch + +# fix #1377335 - make 'createolddir' preserve sticky bit +Patch12: logrotate-3.8.6-createolddir.patch + +# fix #1374331 - preserve SELinux context with 'compress' and 'sharedscripts' +Patch13: logrotate-3.8.6-selinux.patch + +# fix #1387533 - make 'su' directive accept usernames starting with digits +Patch14: logrotate-3.8.6-su-username.patch + Requires: coreutils >= 5.92 popt BuildRequires: libselinux-devel popt-devel libacl-devel acl BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -44,8 +61,13 @@ log files on your system. %patch4 -p1 -b .compressmail %patch5 -p1 -b .olddircopy %patch6 -p1 -b .stateclean -%patch7 -p1 -b .statusfile +%patch7 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build make %{?_smp_mflags} RPM_OPT_FLAGS="$RPM_OPT_FLAGS" WITH_SELINUX=yes WITH_ACL=yes @@ -62,7 +84,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/logrotate install -p -m 644 examples/logrotate-default $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.conf install -p -m 755 examples/logrotate.cron $RPM_BUILD_ROOT/%{_sysconfdir}/cron.daily/logrotate -touch $RPM_BUILD_ROOT/%{_localstatedir}/lib/logrotate/logrotate.status # Make sure logrotate is able to run on read-only root mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d @@ -91,10 +112,21 @@ rm -rf $RPM_BUILD_ROOT %attr(0644, root, root) %config(noreplace) %{_sysconfdir}/logrotate.conf %attr(0755, root, root) %dir %{_sysconfdir}/logrotate.d %attr(0755, root, root) %dir %{_localstatedir}/lib/logrotate -%attr(0644, root, root) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/logrotate/logrotate.status +%attr(0644, root, root) %ghost %verify(not size md5 mtime) %{_localstatedir}/lib/logrotate/logrotate.status %config(noreplace) %{_sysconfdir}/rwtab.d/logrotate %changelog +* Tue Jan 24 2017 Kamil Dudka - 3.8.6-14 +- fix #1381719 - make /var/lib/logrotate/logrotate.status the default state file +- fix #1387533 - make 'su' directive accept usernames starting with digits + +* Tue Sep 13 2016 Kamil Dudka - 3.8.6-13 +- fix #1393247 - migration of state file from previous versions of logrotate +- fix #1374331 - preserve SELinux context with 'compress' and 'sharedscripts' +- fix #1377335 - make 'createolddir' preserve sticky bit +- fix #1369438 - heap buffer overflow when using long date format +- fix #1375638 - make olddir respect the missingok flag + * Thu Jul 14 2016 Kamil Dudka - 3.8.6-12 - make the /var/lib/logrotate directory owned by logrotate (#1272236)