[Debian-med-packaging] Bug#825119: [anbe at debian.org: Re: Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest]

Andreas Tille andreas at fam-tille.de
Sat May 28 14:49:32 UTC 2016 

Hi Diego,

thans for the hint.  I've just uploaded a package where /var/log/jmodeltest is set to 1777.

Kind regards

      Andreas.

On Fri, May 27, 2016 at 06:39:27PM +0200, Diego Darriba wrote:
> Hi Andreas,
> 
> Log files can be used as checkpoint files for restarting a failed execution, and also for checking
> PhyML output in case of an external error. The name of the log files is the name of the input
> alignment followed by the timestamp. There is no reason for using this naming convention, apart from
> being more user-friendly, so they could be randomly generated as well.
> 
> I'd suggest to use /var/log/jmodeltest rather than home directory by default, because probably
> nobody expects a tool to automatically generate files there. The user can change the log directory
> or disable logging in jmodeltest.conf file.
> 
> Best Regards,
> Diego.
> 
> On 25.05.2016 08:19, Andreas Tille wrote:
> > Hi Diego,
> > 
> > I received a bug report about the way I've choosen to enable logging for
> > jmodeltest.  Since in the dist.dir is under /usr and you should be able
> > to mount /usr readonly you can not write logging files there.  So I
> > decided to do the logging to /var/log/jmodeltest and did the mistake
> > to set permissions to 777 instead to 1777 (see below or the full bug
> > report[1]).
> > 
> > Before I might upload a fix I would like to know the role of these
> > logfiles, its intention and whether you might consider using mktemp to
> > safely create log names with unpredictable names.
> > 
> > Another solution would be to keep the logs in users homes in case the
> > log is for the single user anyway.
> > 
> > Kind regards
> > 
> >      Andreas.
> > 
> > [1] https://bugs.debian.org/825119
> > 
> > ----- Forwarded message from Andreas Beckmann <anbe at debian.org> -----
> > 
> > Date: Tue, 24 May 2016 18:19:04 +0200
> > From: Andreas Beckmann <anbe at debian.org>
> > To: Andreas Tille <tille at debian.org>, 825119 at bugs.debian.org
> > Subject: Re: Bug#825119: jmodeltest: creates world writable /var/log/jmodeltest
> > 
> > On 2016-05-24 17:10, Andreas Tille wrote:
> >> Hi Andreas,
> >>
> >> thanks for running these tests.  Could you be please be more verbose in
> >> how far it is a problem if a program enables users to write logs on a
> >> collective place which is the intention of enabling users to write
> >> there?
> >>
> >> I confirm that its possible for other users to delete / change logs.
> >> Well, yes, that could happen but its not security relevant in my eyes.
> >> Any better suggestion is welcome.
> > 
> > Perhaps you want 1777?
> > 
> > Are the logfile names predictable? Created in a safe way?
> > 
> > eve $ ln -sf /home/bob/important.file /var/log/jmodeltest/bob.log
> > bob $ run_jmodeltest  # overwrites /home/bob/important.file ?
> > 
> > 
> > Andreas
> > 
> > 
> > 
> > ----- End forwarded message -----
> > 
> 
> 

-- 
http://fam-tille.de

More information about the Debian-med-packaging mailing list