From 0caff0a074445b8a10050e336fdf9de3b11a6150 Mon Sep 17 00:00:00 2001
From: Alexey Gladkov <legion@altlinux.org>
Date: Sat, 25 Apr 2020 18:01:50 +0300
Subject: ALT: insecure permissions

Signed-off-by: Alexey Gladkov <legion@altlinux.org>
---
 logrotate.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/logrotate.c b/logrotate.c
index 27a864a..24cce46 100644
--- a/logrotate.c
+++ b/logrotate.c
@@ -1376,13 +1376,37 @@ static int findNeedRotating(const struct logInfo *log, unsigned logNum, int forc
             free(logpath);
             return 0;
         }
-        /* Don't rotate in directories writable by others or group which is not "root"  */
-        if ((sb.st_gid != 0 && (sb.st_mode & S_IWGRP)) || (sb.st_mode & S_IWOTH)) {
-            message(MESS_ERROR, "skipping \"%s\" because parent directory has insecure permissions"
-                    " (It's world writable or writable by group which is not \"root\")"
-                    " Set \"su\" directive in config file to tell logrotate which user/group"
+        /* Don't rotate in insecure directories. */
+        if (sb.st_uid != 0) {
+            message(MESS_ERROR, "skipping \"%s\" because parent"
+                    " directory has insecure permissions"
+                    " (it's not owned by \"root\");"
+                    " consider using \"su\" directive in config"
+                    " file to tell logrotate which user/group"
                     " should be used for rotation.\n"
-                    ,log->files[logNum]);
+                    , log->files[logNum]);
+            free(logpath);
+            return 1;
+        }
+        if (sb.st_mode & S_IWGRP && !(sb.st_mode & S_ISVTX)) {
+            message(MESS_ERROR, "skipping \"%s\" because parent"
+                    " directory has insecure permissions"
+                    " (it's group writable and has no sticky bit set);"
+                    " consider using \"su\" directive in config"
+                    " file to tell logrotate which user/group"
+                    " should be used for rotation.\n"
+                    , log->files[logNum]);
+            free(logpath);
+            return 1;
+        }
+        if (sb.st_mode & S_IWOTH) {
+            message(MESS_ERROR, "skipping \"%s\" because parent"
+                    " directory has insecure permissions"
+                    " (it's writable by others);"
+                    " consider using \"su\" directive in config"
+                    " file to tell logrotate which user/group"
+                    " should be used for rotation.\n"
+                    , log->files[logNum]);
             free(logpath);
             return 1;
         }
-- 
2.25.4