diff --git a/backport-Also-check-seteuid-fails-after-dropping-privileges.patch b/backport-Also-check-seteuid-fails-after-dropping-privileges.patch new file mode 100644 index 0000000000000000000000000000000000000000..a665ffa36b25559aa3042b4fde516c7b9fb76420 --- /dev/null +++ b/backport-Also-check-seteuid-fails-after-dropping-privileges.patch @@ -0,0 +1,30 @@ +From 68d343b1c97f35ffbc77e07f83c84fc24df59f97 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Sat, 5 Jun 2021 18:56:55 +0200 +Subject: [PATCH] Also check seteuid fails after dropping privileges + +This patch is the rear patch of "switch_user_permanently: skip switchback check if switched to root" + +Conflict:NA +Reference:https://github.com/logrotate/logrotate/commit/68d343b1c97f35ffbc77e07f83c84fc24df59f97 + +--- + logrotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/logrotate.c b/logrotate.c +index 645105c..165a1df 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -206,7 +206,7 @@ static int switch_user_permanently(const struct logInfo *log) { + return 1; + } + +- if (user != ROOT_UID && setuid(ROOT_UID) != -1) { ++ if (user != ROOT_UID && (setuid(ROOT_UID) != -1 || seteuid(ROOT_UID) != -1)) { + message(MESS_ERROR, "failed to switch user permanently, able to switch back (pid %d)\n", + getpid()); + return 1; +-- +2.27.0 + diff --git a/backport-add-sanity-check.patch b/backport-add-sanity-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f93f973633903f22520de1a975d68f57b29c6ea --- /dev/null +++ b/backport-add-sanity-check.patch @@ -0,0 +1,61 @@ +From e8208913459d95d4c03b4e0c348e53e6f219ec5c Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 8 Apr 2020 16:38:06 +0200 +Subject: [PATCH] switch_user_permanently: add sanity check that effective ids + match configuration specified ones + +This patch is for fixing the issue of "switch_user_permanently: skip switchback check if switched to root" + +Conflict:NA +Reference:https://github.com/logrotate/logrotate/pull/319/commits/e8208913459d95d4c03b4e0c348e53e6f219ec5c + +--- + logrotate.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/logrotate.c b/logrotate.c +index 2e315b9..6bc8ad5 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -167,18 +167,35 @@ int switch_user(uid_t user, gid_t group) { + } + + static int switch_user_permanently(const struct logInfo *log) { +- gid_t group = getegid(); +- uid_t user = geteuid(); ++ const gid_t group = getegid(); ++ const uid_t user = geteuid(); ++ + if (!(log->flags & LOG_FLAG_SU)) { + return 0; + } +- if (getuid() == user && getgid() == group) ++ ++ if (user != log->suUid) { ++ message(MESS_ERROR, "current euid (%u) does not match uid of log configuration (%u)\n", ++ (unsigned) user, (unsigned) log->suUid); ++ return 1; ++ } ++ if (group != log->suGid) { ++ message(MESS_ERROR, "current egid (%u) does not match gid of log configuration (%u)\n", ++ (unsigned) group, (unsigned) log->suGid); ++ return 1; ++ } ++ ++ /* we are already the final configuration specified user/group */ ++ if (getuid() == user && getgid() == group) { + return 0; ++ } ++ + /* switch to full root first */ + if (setgid(getgid()) || setuid(getuid())) { + message(MESS_ERROR, "error getting rid of euid != uid\n"); + return 1; + } ++ + message(MESS_DEBUG, "switching uid to %u and gid to %u\n", + (unsigned) user, (unsigned) group); + if (setgid(group) || setuid(user)) { +-- +2.27.0 + diff --git a/backport-call-switch_user_back-on-early-return.patch b/backport-call-switch_user_back-on-early-return.patch new file mode 100644 index 0000000000000000000000000000000000000000..d50b5c46db27fb934747c133d198d2e6b0f0e905 --- /dev/null +++ b/backport-call-switch_user_back-on-early-return.patch @@ -0,0 +1,41 @@ +From dc49327c5e55f488397c1e3f48b25fe2fc372e22 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 8 Apr 2020 17:07:08 +0200 +Subject: [PATCH] rotateLogSet: call switch_user_back on early return + +This patch is for fixing the issue of "switch_user_permanently: skip switchback check if switched to root" + +Conflict:NA +Reference:https://github.com/logrotate/logrotate/pull/319/commits/dc49327c5e55f488397c1e3f48b25fe2fc372e22 + +--- + logrotate.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/logrotate.c b/logrotate.c +index 55887a5..645105c 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -2294,6 +2294,9 @@ static int rotateLogSet(struct logInfo *log, int force) + + if (state == NULL || rotNames == NULL) { + message(MESS_ERROR, "can not allocate memory\n"); ++ if (log->flags & LOG_FLAG_SU) { ++ switch_user_back(); ++ } + free(rotNames); + free(state); + free(logHasErrors); +@@ -2314,6 +2317,9 @@ static int rotateLogSet(struct logInfo *log, int force) + rotNames[i] = malloc(sizeof(struct logNames)); + if (rotNames[i] == NULL) { + message(MESS_ERROR, "can not allocate memory\n"); ++ if (log->flags & LOG_FLAG_SU) { ++ switch_user_back(); ++ } + free(rotNames); + free(state); + free(logHasErrors); +-- +2.27.0 + diff --git a/backport-improve-debug-logging.patch b/backport-improve-debug-logging.patch new file mode 100644 index 0000000000000000000000000000000000000000..278d64b0b830f8332d806dac0969007e2e994308 --- /dev/null +++ b/backport-improve-debug-logging.patch @@ -0,0 +1,88 @@ +From bffe3d842399263b4566320572d781684b1c276e Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 8 Apr 2020 16:38:14 +0200 +Subject: [PATCH] switch_user*: improve debug logging + +Print pid to distinguish processes. +Print previous effective ids. + +This patch is for fixing the issue of "switch_user_permanently: skip switchback check if switched to root" + +Conflict:NA +Reference:https://github.com/logrotate/logrotate/pull/319/commits/bffe3d842399263b4566320572d781684b1c276e + +--- + logrotate.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/logrotate.c b/logrotate.c +index 6bc8ad5..55887a5 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -156,11 +156,12 @@ int switch_user(uid_t user, gid_t group) { + save_euid = geteuid(); + if (save_euid == user && save_egid == group) + return 0; +- message(MESS_DEBUG, "switching euid to %u and egid to %u\n", +- (unsigned) user, (unsigned) group); ++ message(MESS_DEBUG, "switching euid from %u to %u and egid from %u to %u (pid %d)\n", ++ (unsigned) save_euid, (unsigned) user, (unsigned) save_egid, (unsigned) group, getpid()); + if (setegid(group) || seteuid(user)) { +- message(MESS_ERROR, "error switching euid to %u and egid to %u: %s\n", +- (unsigned) user, (unsigned) group, strerror(errno)); ++ message(MESS_ERROR, "error switching euid from %u to %u and egid from %u to %u (pid %d): %s\n", ++ (unsigned) save_euid, (unsigned) user, (unsigned) save_egid, (unsigned) group, getpid(), ++ strerror(errno)); + return 1; + } + return 0; +@@ -175,13 +176,13 @@ static int switch_user_permanently(const struct logInfo *log) { + } + + if (user != log->suUid) { +- message(MESS_ERROR, "current euid (%u) does not match uid of log configuration (%u)\n", +- (unsigned) user, (unsigned) log->suUid); ++ message(MESS_ERROR, "current euid (%u) does not match uid of log configuration (%u) (pid %d)\n", ++ (unsigned) user, (unsigned) log->suUid, getpid()); + return 1; + } + if (group != log->suGid) { +- message(MESS_ERROR, "current egid (%u) does not match gid of log configuration (%u)\n", +- (unsigned) group, (unsigned) log->suGid); ++ message(MESS_ERROR, "current egid (%u) does not match gid of log configuration (%u) (pid %d)\n", ++ (unsigned) group, (unsigned) log->suGid, getpid()); + return 1; + } + +@@ -192,20 +193,22 @@ static int switch_user_permanently(const struct logInfo *log) { + + /* switch to full root first */ + if (setgid(getgid()) || setuid(getuid())) { +- message(MESS_ERROR, "error getting rid of euid != uid\n"); ++ message(MESS_ERROR, "error getting rid of euid != uid (pid %d): %s\n", ++ getpid(), strerror(errno)); + return 1; + } + +- message(MESS_DEBUG, "switching uid to %u and gid to %u\n", +- (unsigned) user, (unsigned) group); ++ message(MESS_DEBUG, "switching uid to %u and gid to %u permanently (pid %d)\n", ++ (unsigned) user, (unsigned) group, getpid()); + if (setgid(group) || setuid(user)) { +- message(MESS_ERROR, "error switching euid to %u and egid to %u: %s\n", +- (unsigned) user, (unsigned) group, strerror(errno)); ++ message(MESS_ERROR, "error switching uid to %u and gid to %u (pid %d): %s\n", ++ (unsigned) user, (unsigned) group, getpid(), strerror(errno)); + return 1; + } + + if (user != ROOT_UID && setuid(ROOT_UID) != -1) { +- message(MESS_ERROR, "failed to switch user permanently, able to switch back\n"); ++ message(MESS_ERROR, "failed to switch user permanently, able to switch back (pid %d)\n", ++ getpid()); + return 1; + } + +-- +2.27.0 + diff --git a/backport-skip-switchback-check-if-switched-to-root.patch b/backport-skip-switchback-check-if-switched-to-root.patch new file mode 100644 index 0000000000000000000000000000000000000000..308522990d292355bc6533012beccd6eea1f03e6 --- /dev/null +++ b/backport-skip-switchback-check-if-switched-to-root.patch @@ -0,0 +1,39 @@ +From bf18aec66a2a8bc0c3ef56c6be41846076c8a3f1 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 8 Apr 2020 16:38:00 +0200 +Subject: [PATCH] switch_user_permanently: skip switchback check if switched to + root + +Allow switching only the real group (not the user) with a configuration +like `su root somegroup`. +E.g. mailman uses `su root list`, which currently fails with: + error: failed to switch user permanently, able to switch back + error: failed to compress log /var/log/mailman/qrunner.1 + +Fixes: a0b05e42a590efa3e575dd2001b6aa390a79c769 ("switch_user_permanently: check if switchback is possible") + +This patch is for fixing the issue of "switch_user_permanently: skip switchback check if switched to root" + +Conflict:NA +Reference:https://github.com/logrotate/logrotate/pull/319/commits/bf18aec66a2a8bc0c3ef56c6be41846076c8a3f1 + +--- + logrotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/logrotate.c b/logrotate.c +index 25902bc..2e315b9 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -187,7 +187,7 @@ static int switch_user_permanently(const struct logInfo *log) { + return 1; + } + +- if (setuid(ROOT_UID) != -1) { ++ if (user != ROOT_UID && setuid(ROOT_UID) != -1) { + message(MESS_ERROR, "failed to switch user permanently, able to switch back\n"); + return 1; + } +-- +2.27.0 + diff --git a/logrotate.spec b/logrotate.spec index 8e18866669d654133e7ea4b5f997c1f731f90a86..8c439c1617cdcdad64a02fcb8de497c04c86fbc6 100644 --- a/logrotate.spec +++ b/logrotate.spec @@ -2,11 +2,18 @@ Name: logrotate Version: 3.16.0 -Release: 1 +Release: 2 Summary: simplify the administration of log files License: GPLv2+ Url: https://github.com/logrotate/logrotate Source0: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz + +Patch6000: backport-skip-switchback-check-if-switched-to-root.patch +Patch6001: backport-add-sanity-check.patch +Patch6002: backport-improve-debug-logging.patch +Patch6003: backport-call-switch_user_back-on-early-return.patch +Patch6004: backport-Also-check-seteuid-fails-after-dropping-privileges.patch + BuildRequires: acl gcc automake libacl-devel libselinux-devel popt-devel Requires: coreutils @@ -73,6 +80,9 @@ fi %{_mandir}/man5/logrotate.conf.5* %changelog +* Tue Mar 29 2022 dongyuzhen - 3.16.0-2 +- fix switch_user_permanently: skip switchback check if switched to root + * Fri Apr 24 2020 BruceGW - 3.16.0-1 - update upstream to 3.16.0