Page 1 of 1

generated ACL has logrotate subject in /tmp

PostPosted: Sun Jun 20, 2004 4:49 am
by halotron
When i finished autogenerating a systemwide ACL with gradm 2.0 (kernel 2.6.5, debian sid) i noticed a few strange subjects about logrotate executing in /tmp with a random name.

Obviously the next time logrotate runs, it will use a different name, and so not fit in the subject.
Any suggestions on how to solve this?
I dont want to give root default execute privileges on /tmp.

---
subject /tmp/logrotate.0FayYs o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc
/proc/meminfo r
/tmp h
/tmp/logrotat r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /tmp/logrotate.OwMCui o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/22280
/proc/meminfo r
/tmp h
/tmp/logrotate.OwMCui r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

subject /tmp/logrotate.VJeUxh o {
/ h
/bin h
/bin/bash x
/bin/chmod x
/bin/chown x
/bin/ls x
/etc h
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/mtab r
/lib h
/lib/tls h
/lib/tls/libc-2.3.2.so rx
/lib/tls/libdl-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libncurses.so.5.4 rx
/lib/libsafe.so.2.0.16 rx
/proc h
/proc/8650
/proc/meminfo r
/tmp h
/tmp/logrotate.VJeUxh r
/usr h
/usr/bin/mysqladmin x
/var h
/var/log
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}

and so on...

Re: generated ACL has logrotate subject in /tmp

PostPosted: Mon Dec 13, 2004 5:59 pm
by Hue-Bond
>subject /tmp/logrotate.0FayYs o {
>subject /tmp/logrotate.OwMCui o {
>subject /tmp/logrotate.VJeUxh o {

My personal far-from-perfect solution was to patch logrotate so it always uses "logrotate.XXXXXX" as the name of the temp file. Then changed its TMP environment variable so it doesn't create that file at /tmp, but other location.