Univention Bugzilla – Bug 51579
01_base/26check_logfiles_general fails in UCS 5.0: /var/log/lastlog
Last modified: 2021-05-25 16:02:24 CEST
***Searching for world-readable logfiles: Some potentially sensitive log files are world-readable: -rw-rw-r-- 1 root utmp 592176 Jun 24 18:33 /var/log/lastlog
temporary skip this test: ucs-test (10.0.0-8) | Bug #51579: ignore permissions of /var/log/lastlog in 01_base/26check_logfiles_general
univention-base-files.postinst creates a dpkg-statoverride for the file, but it didn't actually create the file or fix the mode. 45543c353b | Deny world read access to /var/log/lastlog 0872d0be69 | fixup, create file with correct mode if missing Package: univention-base-files Version: 9.0.3-2A~5.0.0.202103031231 Branch: ucs_5.0-0 No UCS-5 changelog required.
When systemd.postinst runs the mode gets set back to 664. A call to systemd-tmpfiles seems to do this. root@master200:~# grep lastlog /usr/lib/tmpfiles.d/* /usr/lib/tmpfiles.d/var.conf:f /var/log/lastlog 0664 root utmp - root@master200:~# dpkg -S /usr/lib/tmpfiles.d/var.conf systemd: /usr/lib/tmpfiles.d/var.conf So, either we patch that to our desired mode or we just tug along and accept any local user to see the output of `lastlog`.
9b56182e49 | Remove dpkg-statoverride for /var/log/lastlog Package: univention-base-files Version: 9.0.3-3A~5.0.0.202103051252 Branch: ucs_5.0-0
OK: lastlog is readable by anyone, like in debian OK: statoverride reset on upgrade OK: test cases passes OK: changlog entry explaining the behavior change
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".