Bug 1212955

Summary: [logrotate] error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions
Product: Red Hat Satellite Reporter: Chris Roberts <chrobert>
Component: CandlepinAssignee: Barnaby Court <bcourt>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.1CC: ahumbe, akaiser, akarande, bbuckingham, bkearney, bkurt, brubisch, chorn, cwelton, egolov, erinn.looneytriggs, greartes, howey.vernon, jmatthew, kdixon, mburgerh, mklika, mmccune, mtenheuv, nshaik, pierre-yves.goubet, richard.hornsby, sebastian.ickler, suprabhu, swadeley, tcarlin, tspeetje
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: candlepin-0.9.54.6-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:34:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1310173    
Bug Blocks: 1212602, 1296845    

Description Chris Roberts 2015-04-17 18:54:24 UTC 
Description of problem:
The following errors get sent to root's email when logrotate runs:

Actual results:
/etc/cron.daily/logrotate:
error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/tomcat/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Expected results:
Log rotate to work

Additional info:

I found this bug was filed upstream already, http://projects.theforeman.org/issues/8777

Here's the patch I applied to my local system.  Could this get added to the next available errata release?

--- /root/tomcat.logrotate      2015-04-08 09:46:51.781143412 -0400
+++ tomcat      2015-04-08 09:45:42.933128364 -0400
@@ -1,4 +1,5 @@
 /var/log/tomcat/catalina.out {
+    su tomcat tomcat
     copytruncate
     weekly
     rotate 52

--- /root/candlepin.logrotate   2015-04-08 09:46:50.330143095 -0400
+++ candlepin   2015-04-08 09:45:31.549125882 -0400
@@ -1,4 +1,5 @@
 /var/log/candlepin/*.log {
+    su tomcat tomcat
     copytruncate
     weekly
     rotate 52
Comment 1 RHEL Program Management 2015-04-17 19:17:27 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 8 Christian Horn 2015-12-15 09:17:17 UTC 
Issue is unchanged in 6.1.4.
Comment 11 Thom Carlin 2016-02-09 19:45:37 UTC 
Also occurs in RHCI TP2 RC9
Comment 12 Thom Carlin 2016-03-30 11:01:00 UTC 
and also in QCI TP3 RC2
Comment 13 Bryan Kearney 2016-04-13 19:31:53 UTC 
*** Bug 1291472 has been marked as a duplicate of this bug. ***
Comment 14 Bryan Kearney 2016-05-16 14:24:07 UTC 
This requires candlepin 0.9.54.6 or later.
Comment 15 Bryan Kearney 2016-05-16 15:45:48 UTC 
Moving to POST, please pull in 0.9.54.6.
Comment 17 Corey Welton 2016-06-07 20:42:06 UTC 
*** Bug 1142677 has been marked as a duplicate of this bug. ***
Comment 18 Corey Welton 2016-06-20 15:48:23 UTC 
Appears to be working in SNAP 16.  These messages are no longer appearing in root mail.
Comment 19 Bryan Kearney 2016-07-27 11:34:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501