Bug 2375213

Summary: Transition of log file ownership to sssd user/group does not fix logrotated files, which breaks logrotate
Product: [Fedora] Fedora Reporter: Jonathan Billings <jbilling>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: abokovoy, aboscatt, arusakov, atikhono, kdudka, lslebodn, pbrezina, sbose, ssorce, sssd-maintainers
Target Milestone: ---Flags: aboscatt: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-2.11.1-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-08-05 09:11:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Billings 2025-06-27 14:05:10 UTC 
When the sssd-common package introduced a change to the permissions of the log files in /var/log/sssd/, this was added to the RPM %postinstall scriptlet:

/usr/bin/chown -f sssd:sssd /var/log/sssd/*.log || true

(Ref: https://src.fedoraproject.org/rpms/sssd/blob/f42/f/sssd.spec#_1119 )

However, there is also a logrotate configuration in sssd-common that rotates and compresses the log files /var/log/sssd/*.log, and it also has "su sssd sssd" in the configuration. (Ref: https://github.com/SSSD/sssd/blob/master/src/examples/logrotate.in)

If sssd had been running before the transition to using sssd user/groups for log file ownership, there were several root:root owned files that had been rotated earlier.  However, logrotate can no longer rotate them because their permissions were restricted to root and logrotate is running as sssd:sssd.

You'll get an error that looks like:

logrotate[61244]: error: unable to open /var/log/sssd/sssd_pam.log-20250511 (read-only) for compression: Permission denied

This causes the logrotate.service to error out immediately, rather than continuing to rotate log files.

I think the glob in the rpm %post install scriptlet should be changed to /var/log/sssd/*.log* to address this.

Reproducible: Always
Comment 1 Jonathan Billings 2025-06-27 14:34:59 UTC 
It looks like fixing the sssd.service could also fix this.  It currently has:

ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"

(Ref: https://github.com/SSSD/sssd/blob/master/src/sysv/systemd/sssd.service.in#L22 )
Comment 2 Alexey Tikhonov 2025-07-08 16:31:37 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/8025
Comment 3 Alexey Tikhonov 2025-07-29 15:32:45 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/8025

* `master`
    * d8ac442973e3304c951d42126eea6248b7dc8d2a - spec: don't dereference links while chown-ing in %post
    * 7e8b62e0a98b7dba1b11798da73992bb5478da35 - Make sure previously rotated logs are chown-ed as well.
* `sssd-2-11`
    * 30f03098a4c88d30a12ecbe6c1f4af6d73193436 - spec: don't dereference links while chown-ing in %post
    * f51065918e95ac98b28fbc3392c2f7838a629836 - Make sure previously rotated logs are chown-ed as well.