Bug 1329573

Summary: Candlepin logrotate error on RHEL6
Product: Red Hat Satellite Reporter: Peter Vreman <peter.vreman>
Component: CandlepinAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.8CC: bbuckingham, bkearney, cwelton, ehelms, sthirugn, vrjain
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: candlepin-0.9.54.7-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1330244 1351652 (view as bug list) Environment:
Last Closed: 2016-07-27 11:18:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1330244    
Bug Blocks: 1122832, 1351652    

Description Peter Vreman 2016-04-22 09:37:38 UTC 
Description of problem:
The fix for BZ1310173 introduced in:

* Thu Mar 10 2016 Alex Wood <awood> 0.9.49.12-1
- removing initialization of pool.entitlements (fnguyen)
- Introducing batching to CRL job to workaround Postgres IN clause limit
  (fnguyen)
- 1310173: Backport logrotate config entry (wpoteat)
- Mass Pool lock (fnguyen)

Causes logrotate failures under RHEL6.7 to be reported through Cron:

-------
From: Anacron [root.hilti.com] 
Sent: Mittwoch, 20. April 2016 05:49
To: root.hilti.com
Subject: Anacron job 'cron.daily' on li-lc-1578

/etc/cron.daily/logrotate:

error: candlepin:2 unknown option 'su' -- ignoring line
error: candlepin:2 unexpected text
-------

vrempet@li-lc-1578 ~
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

vrempet@li-lc-1578 ~
$ rpm -qf /etc/logrotate.d/candlepin
candlepin-0.9.49.12-1.el6.noarch



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install candlepin-0.9.49.12-1.el6.noarch on RHEL6.7
2. Exeute:
$ sudo logrotate /etc/logrotate.conf
error: candlepin:2 unknown option 'su' -- ignoring line
error: candlepin:2 unexpected text

3.

Actual results:
Error

Expected results:
Success

Additional info:
Comment 1 Peter Vreman 2016-04-22 09:43:37 UTC 
RHEL6.7 provides:

vrempet@li-lc-1578 ~
$ rpm -q logrotate
logrotate-3.7.8-26.el6_7.x86_64


The used 'su' command is only introduced in 3.8.0 of logrotate:

3.7.9 -> 3.8.0
        - added "dateyesterday" option (see man page)
        - fixed crash when config file had exactly 4096*N bytes
        - added WITH_ACL make option to link against -lacl and preserve ACLs
          during rotation
        - added "su" option to define user/group for rotation. Logrotate now
          skips directories which are world writable or writable by group
          which is not "root" unless "su" directive is used.
        - fixed CVE-2011-1098: race condition by creation of new files
        - fixed possible shell injection when using "shred" directive (CVE-2011-1154)
        - fixed escaping of file names within 'write state' action (CVE-2011-1155)
        - better 'size' directive description
        - fixed possible buffer-overflow when reading config files
        - NetBSD/FreeBSD compilation fixes
        - Solaris compilation fixes
Comment 4 Corey Welton 2016-06-20 16:01:52 UTC 
*** Bug 1343758 has been marked as a duplicate of this bug. ***
Comment 5 Peter Vreman 2016-06-21 07:06:45 UTC 
This is NOT correctly fixed yet in Sat6.2.0 Beta2.
There is logic in the logrotate file, but somehow it is not working the su line is still kept active:

[crash] root@li-lc-1578:~# rpm -q candlepin
candlepin-0.9.54.6-1.el6.noarch

[crash] root@li-lc-1578:~# cat /etc/logrotate.d/candlepin
/var/log/candlepin/*.log {
# logrotate 3.8 requires the su directive,
# where as prior versions do not recognize it.
#LOGROTATE-3.8#    su tomcat tomcat
    su tomcat tomcat
    copytruncate
    daily
    rotate 52
    compress
    missingok
    create 0644 tomcat tomcat
}
Comment 6 vritant 2016-06-21 17:59:39 UTC 
Ehelms,
my bad, I have updated the fixed in version appropriately. does this mean we need to revert the state of this bug, or is candlepin-0.9.54.7-1 in a build already?
Comment 9 Bryan Kearney 2016-07-27 11:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501