Bug 1559801

Missing su here :

[root@gqas013 ~]# cat /etc/logrotate.d/ganesha
/var/log/ganesha/ganesha.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}



[root@gqas013 ~]# cat /etc/logrotate.d/ganesha-gfapi 
/var/log/ganesha/ganesha-gfapi.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}
[root@gqas013 ~]#

Would adding su ganesha ganesha fix it?

(I can give this a try later today)

Yeah u can try that. Make sure add it in the beginning. Perform systemctl daemon-load post that. Then see whether log rotate works using logrotate command
logrotate -f /etc/logrotate.d/ganesha

I'll have this by Thurs EOD.

This doesnt seem to work :

[root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha
error: error opening /var/log/ganesha/ganesha.log: Permission denied
[root@gqas016 ~]# 


[root@gqas016 ~]# cat /etc/logrotate.d/ganesha
/var/log/ganesha/ganesha.log {
    su ganesha ganesha
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}

Anything else i can try?

I will set the mode correctly on the directory in the next build.

Please give qe ack (and hopefully we get the auto pm ack) so I can mark this BZ as Resolved

adding "su ganesha ganesha" won't/doesn't work. It needs to be "su root ganesha", at least until we have ganesha running as non-root.

Or we can change the perms on /var/log/ganesha to 0755 (currently at 0775).

The latter is a simple fix to the mkdir in the rpm .spec file.

(In reply to Kaleb KEITHLEY from comment #8)
> I will set the mode correctly on the directory in the next build.
> 
> Please give qe ack (and hopefully we get the auto pm ack) so I can mark this
> BZ as Resolved

So u are suggesting the issue happened because of the mode for the directory 775 not because it is owned by ganesha user. I didn't understand why "su root ganesha" works but "su ganesha ganesha", Currently /var/log/ganesha is owned by "ganesha ganesha" and if understand option su, it mentions "su user group", so ideally it need to "su ganesha ganesha" IMO.

I don't see anything in the logrotate.conf man page that says user must be the same as the group, or the same os the log file owner.

AFAICT, "su root ganesha" is not wrong. (And log rotation works with it.)

And I still think changing the perms on /var/log/ganesha to 0755 is the simpler/better fix.

I can confirm that adding "su root ganesha" works :

**DEFAULTS ** :

[root@gqas016 ~]# cat /etc/logrotate.d/ganesha
/var/log/ganesha/ganesha.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}
[root@gqas016 ~]# 


[root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha
error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
[root@gqas016 ~]# 


** ADD su root ganesha ** :

[root@gqas016 ~]# cat /etc/logrotate.d/ganesha
/var/log/ganesha/ganesha.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
    su root ganesha
}

[root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha
[root@gqas016 ~]#

Changing permissions for /var/log/ganesha works as well (i understand that's the easier fix) . I hope it doesnt cause any other problems:

[root@gqas016 ~]# chmod  0777 /var/log/ganesha/

[root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha
error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
[root@gqas016 ~]# 



[root@gqas016 ~]# chmod  0755 /var/log/ganesha/
[root@gqas016 ~]# 

[root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha
[root@gqas016 ~]#

Able to repro the issue with 

# rpm -qa | grep ganesha
glusterfs-ganesha-3.12.2-7.el7rhgs.x86_64
nfs-ganesha-2.5.5-4.el7rhgs.x86_64
nfs-ganesha-gluster-2.5.5-4.el7rhgs.x86_64

# ll | grep ganesha
drwxrwxr-x. 2 ganesha   ganesha      50 Apr  9 16:31 ganesha


# ll ganesha/ 
total 120
-rw-------. 1 root root 95006 Apr  9 16:30 ganesha-gfapi.log
-rw-r--r--. 1 root root 23792 Apr  9 16:32 ganesha.log



# logrotate -f /etc/logrotate.d/ganesha
error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

# logrotate -f /etc/logrotate.d/ganesha-gfapi 
error: skipping "/var/log/ganesha/ganesha-gfapi.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.


# cat /etc/logrotate.d/ganesha
/var/log/ganesha/ganesha.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}
[root@dhcp37-191 log]# cat /etc/logrotate.d/ganesha-gfapi 
/var/log/ganesha/ganesha-gfapi.log {
    weekly
    rotate 52
    copytruncate
    dateext
    compress
    missingok
}

Moving this BZ to assigned state.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2610