tmpreaper (1.6.14+deb10u1) buster; urgency=medium * Non-maintainer upload with maintainer approval. * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent breaking systemd services that have PrivateTmp=true (closes: #881725). -- Thijs Kinkhorst Mon, 16 Sep 2019 07:15:24 +0000 tmpreaper (1.6.14) unstable; urgency=medium * Upload to unstable to fix the race condition described in CVE-2019-3461: There was a race condition when tmpreaper was testing for a (bind) mount, which was done via rename() which could potentially lead to a file being placed elsewhere on the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. This has been fixed by using an alternative way of looking for bind mounts using code from mountpoint (from the util-linux package). closes: #918956 -- Paul Slootman Fri, 11 Jan 2019 13:27:15 +0100 tmpreaper (1.6.13+nmu1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * There was a race condition when tmpreaper was testing for a (bind) mount, which was done via rename() which could potentially lead to a file being placed elsewhere on the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. This has been fixed by using an alternative way of looking for bind mounts using code from mountpoint (from the util-linux package). -- Paul Slootman Sat, 05 Jan 2019 16:25:06 +0100 tmpreaper (1.6.13+nmu1) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - Danish (Joe Hansen). Closes: #581718 -- Christian Perrier Wed, 04 Aug 2010 23:50:07 -0400 tmpreaper (1.6.13) unstable; urgency=low * debconf config script could exit with status 30. -- Paul Slootman Thu, 17 Sep 2009 16:31:22 +0200 tmpreaper (1.6.12) unstable; urgency=low * Ignore any \+.*$ component in the version number when checking for the correct version number in configure.ac, to allow for NMUs. closes:#493405 * Updated the tmpreaper.conf manpage to document TMPREAPER_DELAY and TMPREAPER_ADDITIONALOPTIONS. closes:#510754 * Added Swedish debconf translation from Martin Bagge. closes:#508753 * Added Japanese debconf translation from Hideki Yamane. closes:#522843 * Added Italian debconf translation from Luca Monducci. closes:#544596 * Updated Standards-Version to 3.8.3.0 (no further change necessary). * Bumped debhelper compat level to 5. -- Paul Slootman Thu, 17 Sep 2009 14:46:44 +0200 tmpreaper (1.6.11) unstable; urgency=low * Really allow --runtime=0 as described in the manpage (previously a minimum of 5 was enforced). -- Paul Slootman Mon, 06 Oct 2008 14:06:54 +0200 tmpreaper (1.6.10) unstable; urgency=low * Updated Czech debconf translation from Miroslav Kure. closes:#439273 * Updated French debconf translation from Michel Grentzinger. * Added Galician debconf translation from Jacobo Tarrio. closes:#481981 * Added Basque debconf translation from Piarres Beobide. closes:#482024 * Added Russian debconf translation from Yuri Kozlov. closes:#482292 * Handle "infinity" in /etc/default/rcS for TMPTIME. closes:#478136 * Properly update the version output from "tmpreaper -h". * Updated Standards-Version to 3.7.3.0 -- Paul Slootman Thu, 22 May 2008 16:23:29 +0200 tmpreaper (1.6.9) unstable; urgency=low * Updated Spanish Debconf translation from Javier Fernández-Sanguino Peña. closes:#438832 * Moving the shell code to the cron.daily script introduced an annoying but harmless bug (tmpreaper doesn't run). Fixed that. closes:#439003 * Updated policy version. -- Paul Slootman Tue, 21 Aug 2007 11:15:57 +0200 tmpreaper (1.6.8) unstable; urgency=low * Shell code has been removed from the tmpreaper.conf file, now only variables are set there. Processing has moved to the cron.daily script, thanks to Mike Fedyk. closes:#196288 * The abovementioned shell code failed if /etc/default/rcS doesn't exist (and hence $TMPTIME wasn't getting set). Applied patch from Maxim Doucet to only check the value if the grep showed it exists (very logical of course :-) closes:#435820 * Let the maximum initial delay before processing be specified via the tmpreaper.conf file, and overridable via the command line when running the cron.daily script manually. closes:#374977 * Corrected logic in checking for conflicting options, by applying patch supplied by Martin Dickopp (thanks!) closes:#353477 * Updated manpage example for protecting X sockets to correspond to what's actually used in the cron.daily script (although both expand to the same thing). Prompted by #383967. * Updated manpage http links to articles as the reasons for tmpreaper's existence. closes:#355889 * Fixed typos in README.security. closes:#370668 * Portuguese Debconf translation from Pedro Ribeiro. closes:#425171 * Updated German Debconf translation from Helge Kreutzmann. closes:#426021 * Spanish Debconf translation from Javier Fernández-Sanguino Peña. closes:#437380 * Give Joey Hess credit for his text I quoted in README.security. closes:#353355 * Updated the language in the debconf template, and fixed a typo. closes:#353261,#401214 -- Paul Slootman Fri, 17 Aug 2007 10:40:24 +0200 tmpreaper (1.6.7) unstable; urgency=low * Non-maintainer upload to fix pending l10n bugs. * Add a binary-indep target to debian/rules. Closes: #395754 * Debconf translations: - German. Closes: #367881 -- Christian Perrier Tue, 13 Feb 2007 22:40:09 +0100 tmpreaper (1.6.6) unstable; urgency=low * Add --runtime option, for those cases where it's known that it may take a very long time to run. Thanks to Jaap Eldering for the patch, although I took a slightly different approach (short option -T instead of -r, as -r is often associated with recursive). closes:#332757 * Check whether a subdirectory is a bind mount on the same file system to prevent unfortunate accidents that won't otherwise be prevented by the "not switching file systems" check. Patch from Eric Lammerts. closes:#237194 * Add alternate dependency of debconf-2.0. closes:#332119 * Updated version string and usage message. closes:#236563 * Using --mtime together with --ctime makes no sense, so check for that combination and bail out if detected. * Added Czech debconf translation, thanks to Miroslav Kure. closes:#273523 * Added Vietnamese debconf translation, thanks to Clytie Siddall. closes:#322312 * Corrected debconf template text. closes:#322311 * "--test --verbose=0 --showdeleted" will now show a list of files and directories that would (probably) have been deleted. closes:#236565 * Updated policy version. -- Paul Slootman Thu, 02 Feb 2006 12:42:15 +0100 tmpreaper (1.6.5) unstable; urgency=low * Use /dev/urandom instead of /dev/random to prevent blocking when entropy pool is empty. This probably makes it harder to subvert the random delay by emptying the entropy pool before the run is scheduled... closes:#216803 * Don't only include fcntl.h on linux, is pretty standard and needed for compilation e.g. on Solaris. * make 'missing' a real file, instead of a symlink to /usr/share/.... * Use ext2_fs.h from e2fs-libs-dev instead of libc6-dev, since the last one is now useless due to changes in the way kernel headers are included there. This means a Build-Depends is added on e2fslibs-dev. closes:#223222 * Fixed manpage, which had not been updated when fixing bug 195262. This is about whether the delay depends on being connected to a tty or not. closes:#222681 * Fixed shell quoting in cron.daily script. ckises:#206106 -- Paul Slootman Mon, 08 Dec 2003 12:50:11 +0100 tmpreaper (1.6.4) unstable; urgency=low * Added fr.po translation of debconf templates. closes:#201340 -- Paul Slootman Mon, 21 Jul 2003 09:56:35 +0200 tmpreaper (1.6.3) unstable; urgency=low * Switched to gettext for the debconf templates, thanks to patch supplied with the bug report. closes:#200581 * Applied patch to fix typos in patch for #200581. closes:#200622 -- Paul Slootman Mon, 14 Jul 2003 13:14:31 +0200 tmpreaper (1.6.2) unstable; urgency=low * Added an TMPREAPER_ADDITIONALOPTIONS variable to tmpreaper.conf for passing additional options (duh) to tmpreaper. closes:#169832 * Added an option --showdeleted to make tmpreaper output what it has done. The output is in the form of shell commands, i.e. "rm /tmp/bla/file", "rmdir /tmp/bla". closes:#174228 * Added an option --delay to make the delay at the beginning of execution configurable, instead of relying on whether stdin is a tty or not. Also added this option to the invocation in the cron.daily script. closes:#195262 * In the daily cron output, mention that /etc/tmpreaper.conf needs to be edited to remove the message about README.security.gz in the daily cron output. closes:#195666 -- Paul Slootman Mon, 2 Jun 2003 10:39:21 +0200 tmpreaper (1.6.1) unstable; urgency=low * Fix handling of large files (the bigger than 2GB ones). closes:#139125 * Don't call autoconf, automake routinely from debian/rules. This only needs to be done when changing something in configure.ac or so. Hence can remove autoconf, automake from build-depends. closes:#137604 * -a option shouldn't expect an argument, so fixed the getopt thing. closes:#137600 * Don't display the warning about having to upgrade the cron.daily script if this is a fresh install. closes:#167783 * Don't let the cron.daily script run by default; the administrator needs to enable it via a setting in /etc/tmpreaper.conf which indicates he/she understands the possible security implications of having tmpreaper run automatically. Also show a debconf note to that affect. closes:#174307 * In /etc/tmpreaper.conf, use the TMPTIME value from /etc/default/rcS if available. This means that the age of files in /tmp is now basically determined in just one place (/etc/default/rcS) instead of two, which is a bit simpler. It may cause some confusion for those who have changed the value in tmpreaper.conf, though; so a debconf note is shown if tmpreaper.conf contains a non-default value. closes:#128585 * When not running from a tty, delay before processing for a random amount of time to make it harder for attackers. * Run for a maximum of 55 seconds, to thwart attackers who try to delay its processing to take advantage to possible race conditions. -- Paul Slootman Wed, 21 May 2003 16:33:04 +0200 tmpreaper (1.6.0) unstable; urgency=low * Added --ctime option to make tmpreaper also check the ctime in addition to the atime. This is useful where the directory is accessible as a Samba share, as DOS PCs (including all the incarnations of Windows) will preserve the original mtime _and_ atime when copying files on such a share. This meant that recently copied files could disappear the next night. This is IMHO significant enough for a minor number bump... closes:#126143 * Added --ctime option to tmpreaper invocation in /etc/cron.daily/tmpreaper * Improved some of the comments in /etc/cron.daily/tmpreaper to more accurately reflect the /etc/tmpreaper.conf situation. * Changed way default settings are done in cron.daily script, so that an empty conf file won't cause the defaults to be skipped. Also part of bug 126143. * Added tmpreaper.conf manpage. * Added german translation to debconf templates. closes:#128896 -- Paul Slootman Tue, 5 Mar 2002 14:42:19 +0100 tmpreaper (1.5.1) unstable; urgency=high * The new automake / autoconf stuff lead to tmpreaper being installed into /usr/bin instead of /usr/sbin, which in turn leads the cron script to never execute tmpreaper. Oops. Hence this fix should be added to the archives ASAP. closes:#124174 * Local additions to the way tmpreaper runs can now be made via the /etc/tmpreaper.conf file, where the file age, extra protect patterns ans which directories to reap can be specified. There's a debconf note now explaining this when tmpreaper is installed. For this, "set -f" is used to prevent the shell from globbing any patterns. AFAIK this is POSIX, ash at least understands this. -- Paul Slootman Sun, 2 Dec 2001 22:59:13 +0100 tmpreaper (1.5.0) unstable; urgency=low * Added getopt.c, getopt1.c, getopt.h so that it can be compiled without difficulty on non-linux systems (tested on Solaris). However, you lose the capability of using braces in your --protect patterns as glob() functions on other (non-linux) platforms don't offer that. Bumped the second number in the version to reflect this significant change. * Added autoconf stuff to figure out whether getopt.c etc. are needed, the braces thing in glob(), and more. Hence also included stuff like INSTALL, missing, and the other autoconf stuff. It now builds and runs on Solaris and NetBSD as well! * Use "exit(x)" instead of "return x" to terminate the forked processes, otherwise weird stuff happened on NetBSD; it seems the processes didn't in fact exit. * Changed priority to optional to comply with the overrides. Last time that change somehow got lost... * Ignore files that are marked immutable in ext2/ext3. This is a more generic workaround for ext3's journal file which now has a new name, and probably also makes sense for other files as well. closes:#122090 * Exclude quota.user and quota.group. Why can't these be stored in a "standard" place (/var/state/quota/ ?)... I see no technical reason why not. Oh well. closes:#100675 -- Paul Slootman Sun, 2 Dec 2001 12:49:03 +0100 tmpreaper (1.4.14) unstable; urgency=low * Changed priority to optional to comply with the overrides. * cron.daily file has /tmp/. instead of /tmp to accomodate /tmp being a symlink to some other directory. closes:#62791 * Patches from Marcus Brinkmann to build on HURD. I hacked around this so that it should work as before on non-glibc systems. closes:#105433 * Added journal.dat to the list of protected files (ext3 journal, Bad Things apparently happen if that is removed). closes:#63655 It took so long for this (trivial) bug to be closed because it was first reported on tmpwatch, and was reassigned to tmpreaper after all discussion had took place. This meant I got zero notification about this bug via email, which sucks. I don't use the web pages very often... -- Paul Slootman Wed, 25 Jul 2001 15:26:04 +0200 tmpreaper (1.4.13) unstable; urgency=medium * close dirhandle after using it. closes:#71660 * fix checking for '.' and '..', which fixes a possibility of a directory being assumed empty while it wasn't. closes:#99507 * Added debhelper to Build-Depends. * Updated Standards-Version: to 3.5. * Added README for non-debian users, and updated LSM entry, and uploaded to sunsite. Also renamed ChangeLog to ChangeLog.old, as that hadn't been updated for sime time. This debian changelog is now the "official" changelog now. -- Paul Slootman Sat, 2 Jun 2001 11:38:09 +0200 tmpreaper (1.4.12) stable unstable; urgency=high * Limit fork recursion to foil deep directory nesting attack. closes:#71249 -- Paul Slootman Tue, 12 Sep 2000 11:56:27 +0200 tmpreaper (1.4.11) unstable; urgency=low * Handle filenames of the form ".a" correctly, not like "..". Oops. closes:#53245 * Exclude lost+found in the example cron script. closes:#53285 -- Paul Slootman Wed, 22 Dec 1999 17:44:21 +0100 tmpreaper (1.4.10) unstable; urgency=low * Updated Standards-Version to 3.0.1. * Fixed a formatting error in the manpage. -- Paul Slootman Wed, 27 Oct 1999 18:22:40 +0200 tmpreaper (1.4.9) unstable; urgency=low * Added --mtime-dir option to use mtime checking for directories only, which don't get removed when atime checking is used (reading the directory updates the atime!). closes:#34522 * Put -mtime-dir into default cron entry. -- Paul Slootman Wed, 7 Apr 1999 09:50:57 +0200 tmpreaper (1.4.8) unstable; urgency=low * New maintainer. * Updated Standards-Version to 2.4.1.4. * Changed priority to extra, as you really only need this package if you have specialised requirements (i.e. a system with untrusted users). * Nothing significant changed, a couple of messages fixed to be more similar to the rest. * Converted C++ - style comments to plain C comments, as this isn't C++ source. -- Paul Slootman Mon, 14 Sep 1998 15:04:09 +0200 tmpreaper (1.4.7) frozen unstable; urgency=low * Apply bugfixes from Jorg Schuler . See ChangeLog. (Fixes:#22903,#22934) * Jorg Schuler's patch also protects `.iroha' and `.ki2' (are they files or sockets?) in /tmp. * New function `dir_empty_p'; check that a dir is empty prior to rmdir(). (Fixes:#22770) -- Karl M. Hegbloom Sat, 30 May 1998 09:15:20 -0700 tmpreaper (1.4.6) frozen unstable; urgency=high * Also send into the freezer with hamm. * Fixed one lintian warning, and one lintian error. -- Karl M. Hegbloom Sun, 17 May 1998 18:59:48 -0700 tmpreaper (1.4.5) unstable; urgency=low * Implement the `--mtime' switch: (Fixes #19519) -- Karl M. Hegbloom Sun, 17 May 1998 17:32:41 -0700 tmpreaper (1.4.4) frozen unstable; urgency=high * (tmpreaper.c): Updated the year in copyright statement. - Added a missing newline to a message string in a rare fatal error. - Remembered args to flag test macros. * (tmpreaper.8): Split the overly complex brace expansion in the example into two separate --protect clauses. (Fixes #22528) * Further changes in ChangeLog. -- Karl M. Hegbloom Sun, 17 May 1998 11:47:47 -0700 tmpreaper (1.4.3-2) unstable; urgency=low * No need to line-buffer stderr. -- Karl M. Hegbloom Tue, 3 Feb 1998 15:59:12 -0800 tmpreaper (1.4.3-1) unstable; urgency=low * Use line-buffered I/O for stdout and stderr, so that even when the output is being piped to a file, it gets flushed after a newline. (see: APUE pp. 189-190) Bug pointed out by Joey Hess . -- Karl M. Hegbloom Mon, 26 Jan 1998 19:55:43 -0800 tmpreaper (1.4.2-1) unstable; urgency=low * Put single quotes around in help output. * Start bumping the right version number. (I'll learn.) -- Karl M. Hegbloom Fri, 23 Jan 1998 03:30:54 -0800 tmpreaper (1.4.1-4) unstable; urgency=low * Removed `-m386 -malign-double' from CFLAGS in Makefile, fixes #16607 * Added `build-stamp' to the `dh_clean' line in `debian/rules clean' Fixes #16608. -- Karl M. Hegbloom Fri, 9 Jan 1998 12:03:07 -0800 tmpreaper (1.4.1-3) unstable; urgency=low * Changed architecture from i386 to any. I should work fine on the non-intel ports. * Address to @debian.org rather than @bittersweet. -- Karl M. Hegbloom Mon, 22 Dec 1997 20:10:25 -0800 tmpreaper (1.4.1-2) unstable; urgency=low * Added `Replaces: tmpwatch' to fix bug #15732 -- Karl M. Hegbloom Tue, 9 Dec 1997 03:09:49 -0800 tmpreaper (1.4.1-1) unstable; urgency=low * Renaming from `tmpwatch' to `tmpreaper' to split away from RedHat, who released a `tmpwatch-1.4' that had zero of the patches I sent them. -- Karl M. Hegbloom Sun, 7 Dec 1997 13:42:03 -0800 tmpwatch (1.4-2) unstable; urgency=low * Put under CVS, and begin to use `cvs-buildpackage', I hope. * Removed `--test' switch in "/etc/cron.daily/tmpwatch" * Updated the description in the control file -- I am letting the installer know about the cron script and what it will do, and am soliciting feedback regarding the cron script. * Moved to section admin, priority optional. Should this be program be base/standard? * RedHat 5.0 is shipping `tmpwatch-1.4'; they've accepted my changes. :-) -- Karl M. Hegbloom Thu, 4 Dec 1997 13:28:27 -0800 tmpwatch (1.4-1) unstable; urgency=low * Default the timespec back to hours, and make it so a suffix can be tacked onto it: `d', `h', `m', or `s' for days, hours, minutes, or seconds. With no suffix, the time is in hours, to remain compatible with `tmpwatch-1.2'. * Update the cron.daily script to use the new syntax, and add `--verbose' for more copious output. * Updated the manual to reflect the change. -- Karl M. Hegbloom Sun, 16 Nov 1997 23:53:44 -0800 tmpwatch (1.3-2) unstable; urgency=low * I goofed and tried to use `' around things in the echo statements of the cron.daily script. It's fixed now, no other changes. -- Karl M. Hegbloom Sat, 15 Nov 1997 17:06:52 -0800 tmpwatch (1.3-1) unstable; urgency=high * Converted from RPMS source format to Debian/GNU/SPI source format using `alien'. * Added "#include " to fix compiler warning. * Wrote a simple "cron.daily" script. * Changed `grace' arg spec from "in hours" to "in seconds". * Added `--help' option and defaulted arg switch to `usage()' * Added "pretending to..." messages when `--test' is defined. * Improved the `message()' function. * Fixed `--test' so it actually functions instead of removing files. * Added `--protect' option to protect files matching a glob pattern from deletion. Meant for preventing the deletion of the X lock file and its Linux domain sockets. * Added `--symlinks' option to have it rm symlinks too. * Made `safe_chdir()' message when it refuses to cross a symlink, instead of defaulting and printing a cryptic message about an "intrusion attempt". * Improved Makefile and debian/rules * Modified manual page to reflect changes, and did some editting. * Much re-working and code reformatting... the diff is larger than the original source. * Please check my work and don't be afraid to report bugs. I'm new at this. -- Karl M. Hegbloom Sat, 15 Nov 1997 16:16:57 -0800