Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1142677

Summary: Candlepin logrotate reports insecure permissions
Product: Red Hat Satellite Reporter: Sebastian Ickler <sebastian.ickler>
Component: CandlepinAssignee: Barnaby Court <bcourt>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: akaiser, alikins, bcourt, bkearney, brsmith, chrobert, cwelton, dcleal, egolov, erinn.looneytriggs, knovakov, mmccune, mstead, psuriset, sebastian.ickler, tcarlin
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: candlepin-0.9.54.6-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-07 20:42:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1310173    
Bug Blocks:    

Description Sebastian Ickler 2014-09-17 08:00:41 UTC 
Description of problem:
logrotate reports the following message when performing some Satellite related logfiles:

---%<---

/etc/cron.daily/logrotate:

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/tomcat/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

---%<---

Seems like there is a parameter in the config files missing.

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL7

How reproducible:
Install Satellite 6.0.4
Wait for the daily logrotate

Steps to Reproduce:
-

Actual results:
-

Expected results:
No message of possible wrong permissions

Additional info:
-
Comment 1 RHEL Program Management 2014-09-17 08:03:02 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Adrian Likins 2014-10-03 17:46:11 UTC 
(In reply to Sebastian Ickler from comment #0)

> /etc/cron.daily/logrotate:
> 
> error: skipping "/var/log/candlepin/audit.log" because parent directory has

> error: skipping "/var/log/tomcat/catalina.out" because parent directory has

On systems showing this, what are the perms of /var/log/candlepin and /var/log/tomcat ? ie, output of:

    stat /var/log/tomcat/ /var/log/candlepin/
Comment 4 Adrian Likins 2014-10-03 18:26:19 UTC 
I think this may be related to an upstream logrotate change:

https://fedorahosted.org/logrotate/changeset?reponame=&new=449%40trunk&old=448%40trunk

> Return an error code when parent directory of log does not exists
> "su" directive is not used, logrotate is running as root and missingok is not > > specified. [vcizek]
Comment 5 Adrian Likins 2014-10-03 19:45:33 UTC 
Also, what logrotate version?
Comment 6 Sebastian Ickler 2014-10-06 07:14:28 UTC 
Here's the stat:

[root@host ~]# stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34676917    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Access: 2014-08-04 21:07:07.000000000 +0200
Modify: 2014-09-24 13:03:18.065207849 +0200
Change: 2014-09-24 13:03:18.065207849 +0200
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90              Blocks: 0          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34634985    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Access: 2014-08-07 20:35:01.000000000 +0200
Modify: 2014-09-24 13:03:25.705139371 +0200
Change: 2014-09-24 13:03:25.705139371 +0200
 Birth: -
Comment 7 Sebastian Ickler 2014-10-06 07:16:14 UTC 
[root@host ~]# logrotate -v
logrotate 3.8.6 - Copyright (C) 1995-2001 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License
Comment 8 Sebastian Ickler 2014-10-06 07:17:11 UTC 
Whoops, I'm a bit trigger-happy today... :)

[root@host ~]# rpm -qa |grep logrotate
logrotate-3.8.6-4.el7.x86_64
Comment 9 Adrian Likins 2014-10-09 20:10:10 UTC 
pr at https://github.com/candlepin/candlepin/pull/734
Comment 11 Michael Stead 2015-02-19 13:49:21 UTC 
Looks like this was fixed as per Comment 9
Comment 12 Michael Stead 2015-04-07 18:08:32 UTC 
*** Bug 1190943 has been marked as a duplicate of this bug. ***
Comment 13 Tazim Kolhar 2015-04-27 09:29:02 UTC 
hi

please provide verification steps

thanks
Comment 14 Adrian Likins 2015-05-12 14:24:37 UTC 
1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin
(See successful logrotate)
Comment 15 Tazim Kolhar 2015-06-15 10:41:08 UTC 
VERIFIED:
Install Satellite 6.0.4 from the iso

steps
1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin

successful logrotate
Comment 16 Bryan Kearney 2015-08-11 13:22:18 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 17 Bryan Kearney 2015-08-12 13:57:41 UTC 
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.
Comment 18 Pradeep Kumar Surisetty 2015-11-21 18:30:56 UTC 
This is reproducible on latest release too. 6.1.4 on RHEL 7.1
Seems like regression. 

candlepin version
candlepin-0.9.49.9-1.el7.noarch

logrotate version
logrotate-3.8.6-4.el7.x86_64

logrotate -v -f /etc/logrotate.d/candlepin
---%<---

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/candlepin.log
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpdb.log
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpinit.log
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/error.log
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
set default create context

---%<---


stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222189579  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Context: system_u:object_r:tomcat_log_t:s0
Access: 2015-03-24 19:50:20.000000000 -0400
Modify: 2015-11-17 02:29:38.120996953 -0500
Change: 2015-11-17 02:36:04.204524070 -0500
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90        	Blocks: 0          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222083551  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Context: system_u:object_r:var_log_t:s0
Access: 2015-11-21 03:35:01.259569143 -0500
Modify: 2015-11-17 02:39:11.311152755 -0500
Change: 2015-11-17 02:39:11.311152755 -0500
 Birth: -
Comment 20 Bryan Kearney 2016-05-16 14:23:42 UTC 
This requires candlepin 0.9.54.6 or later.
Comment 21 Bryan Kearney 2016-05-16 15:45:33 UTC 
Moving to POST, please pull in 0.9.54.6.
Comment 23 Corey Welton 2016-06-07 20:42:06 UTC 
Closing this as it is effectively a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1212955

*** This bug has been marked as a duplicate of bug 1212955 ***