Bug 1142677

Summary: Candlepin logrotate reports insecure permissions
Product: Red Hat Satellite Reporter: Sebastian Ickler <sebastian.ickler>
Component: CandlepinAssignee: Barnaby Court <bcourt>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: akaiser, alikins, bcourt, bkearney, brsmith, chrobert, cwelton, dcleal, egolov, erinn.looneytriggs, knovakov, mmccune, mstead, psuriset, sebastian.ickler, tcarlin
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: candlepin-0.9.54.6-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-07 20:42:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1310173    
Bug Blocks:    

Description Sebastian Ickler 2014-09-17 08:00:41 UTC 
Description of problem:
logrotate reports the following message when performing some Satellite related logfiles:

---%<---

/etc/cron.daily/logrotate:

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/tomcat/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

---%<---

Seems like there is a parameter in the config files missing.

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL7

How reproducible:
Install Satellite 6.0.4
Wait for the daily logrotate

Steps to Reproduce:
-

Actual results:
-

Expected results:
No message of possible wrong permissions

Additional info:
-
Comment 1 RHEL Program Management 2014-09-17 08:03:02 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Adrian Likins 2014-10-03 17:46:11 UTC 
(In reply to Sebastian Ickler from comment #0)

> /etc/cron.daily/logrotate:
> 
> error: skipping "/var/log/candlepin/audit.log" because parent directory has

> error: skipping "/var/log/tomcat/catalina.out" because parent directory has

On systems showing this, what are the perms of /var/log/candlepin and /var/log/tomcat ? ie, output of:

    stat /var/log/tomcat/ /var/log/candlepin/
Comment 4 Adrian Likins 2014-10-03 18:26:19 UTC 
I think this may be related to an upstream logrotate change:

https://fedorahosted.org/logrotate/changeset?reponame=&new=449%40trunk&old=448%40trunk

> Return an error code when parent directory of log does not exists
> "su" directive is not used, logrotate is running as root and missingok is not > > specified. [vcizek]
Comment 5 Adrian Likins 2014-10-03 19:45:33 UTC 
Also, what logrotate version?
Comment 6 Sebastian Ickler 2014-10-06 07:14:28 UTC 
Here's the stat:

[root@host ~]# stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34676917    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Access: 2014-08-04 21:07:07.000000000 +0200
Modify: 2014-09-24 13:03:18.065207849 +0200
Change: 2014-09-24 13:03:18.065207849 +0200
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90              Blocks: 0          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34634985    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Access: 2014-08-07 20:35:01.000000000 +0200
Modify: 2014-09-24 13:03:25.705139371 +0200
Change: 2014-09-24 13:03:25.705139371 +0200
 Birth: -
Comment 7 Sebastian Ickler 2014-10-06 07:16:14 UTC 
[root@host ~]# logrotate -v
logrotate 3.8.6 - Copyright (C) 1995-2001 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License
Comment 8 Sebastian Ickler 2014-10-06 07:17:11 UTC 
Whoops, I'm a bit trigger-happy today... :)

[root@host ~]# rpm -qa |grep logrotate
logrotate-3.8.6-4.el7.x86_64
Comment 9 Adrian Likins 2014-10-09 20:10:10 UTC 
pr at https://github.com/candlepin/candlepin/pull/734
Comment 11 Michael Stead 2015-02-19 13:49:21 UTC 
Looks like this was fixed as per Comment 9
Comment 12 Michael Stead 2015-04-07 18:08:32 UTC 
*** Bug 1190943 has been marked as a duplicate of this bug. ***
Comment 13 Tazim Kolhar 2015-04-27 09:29:02 UTC 
hi

please provide verification steps

thanks
Comment 14 Adrian Likins 2015-05-12 14:24:37 UTC 
1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin
(See successful logrotate)
Comment 15 Tazim Kolhar 2015-06-15 10:41:08 UTC 
VERIFIED:
Install Satellite 6.0.4 from the iso

steps
1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin

successful logrotate
Comment 16 Bryan Kearney 2015-08-11 13:22:18 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 17 Bryan Kearney 2015-08-12 13:57:41 UTC 
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.
Comment 18 Pradeep Kumar Surisetty 2015-11-21 18:30:56 UTC 
This is reproducible on latest release too. 6.1.4 on RHEL 7.1
Seems like regression. 

candlepin version
candlepin-0.9.49.9-1.el7.noarch

logrotate version
logrotate-3.8.6-4.el7.x86_64

logrotate -v -f /etc/logrotate.d/candlepin
---%<---

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/candlepin.log
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpdb.log
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpinit.log
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/error.log
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
set default create context

---%<---


stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222189579  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Context: system_u:object_r:tomcat_log_t:s0
Access: 2015-03-24 19:50:20.000000000 -0400
Modify: 2015-11-17 02:29:38.120996953 -0500
Change: 2015-11-17 02:36:04.204524070 -0500
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90        	Blocks: 0          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222083551  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Context: system_u:object_r:var_log_t:s0
Access: 2015-11-21 03:35:01.259569143 -0500
Modify: 2015-11-17 02:39:11.311152755 -0500
Change: 2015-11-17 02:39:11.311152755 -0500
 Birth: -
Comment 20 Bryan Kearney 2016-05-16 14:23:42 UTC 
This requires candlepin 0.9.54.6 or later.
Comment 21 Bryan Kearney 2016-05-16 15:45:33 UTC 
Moving to POST, please pull in 0.9.54.6.
Comment 23 Corey Welton 2016-06-07 20:42:06 UTC 
Closing this as it is effectively a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1212955

*** This bug has been marked as a duplicate of bug 1212955 ***