1142677 – Candlepin logrotate reports insecure permissions

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1142677 - Candlepin logrotate reports insecure permissions

Summary: Candlepin logrotate reports insecure permissions

Keywords:
Status:	CLOSED DUPLICATE of bug 1212955
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Candlepin
Sub Component:
Version:	6.0.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	Unspecified
Assignee:	Barnaby Court
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1190943 (view as bug list)
Depends On:	1310173
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-17 08:00 UTC by Sebastian Ickler
Modified:	2023-09-07 18:38 UTC (History)
CC List:	16 users (show)
Fixed In Version:	candlepin-0.9.54.6-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-07 20:42:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1212955	0	medium	CLOSED	[logrotate] error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions	2023-09-07 18:41:10 UTC
Red Hat Knowledge Base (Solution)	1597913	0	None	None	None	2016-02-03 15:05:22 UTC

Internal Links: 1212955

Description Sebastian Ickler 2014-09-17 08:00:41 UTC

Description of problem:
logrotate reports the following message when performing some Satellite related logfiles:

---%<---

/etc/cron.daily/logrotate:

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/tomcat/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

---%<---

Seems like there is a parameter in the config files missing.

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL7

How reproducible:
Install Satellite 6.0.4
Wait for the daily logrotate

Steps to Reproduce:
-

Actual results:
-

Expected results:
No message of possible wrong permissions

Additional info:
-

Comment 1 RHEL Program Management 2014-09-17 08:03:02 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Adrian Likins 2014-10-03 17:46:11 UTC

(In reply to Sebastian Ickler from comment #0)

> /etc/cron.daily/logrotate:
> 
> error: skipping "/var/log/candlepin/audit.log" because parent directory has

> error: skipping "/var/log/tomcat/catalina.out" because parent directory has

On systems showing this, what are the perms of /var/log/candlepin and /var/log/tomcat ? ie, output of:

    stat /var/log/tomcat/ /var/log/candlepin/

Comment 4 Adrian Likins 2014-10-03 18:26:19 UTC

I think this may be related to an upstream logrotate change:

https://fedorahosted.org/logrotate/changeset?reponame=&new=449%40trunk&old=448%40trunk

> Return an error code when parent directory of log does not exists
> "su" directive is not used, logrotate is running as root and missingok is not > > specified. [vcizek]

Comment 5 Adrian Likins 2014-10-03 19:45:33 UTC

Also, what logrotate version?

Comment 6 Sebastian Ickler 2014-10-06 07:14:28 UTC

Here's the stat:

[root@host ~]# stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34676917    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Access: 2014-08-04 21:07:07.000000000 +0200
Modify: 2014-09-24 13:03:18.065207849 +0200
Change: 2014-09-24 13:03:18.065207849 +0200
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90              Blocks: 0          IO Block: 4096   directory
Device: fd05h/64773d    Inode: 34634985    Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Access: 2014-08-07 20:35:01.000000000 +0200
Modify: 2014-09-24 13:03:25.705139371 +0200
Change: 2014-09-24 13:03:25.705139371 +0200
 Birth: -

Comment 7 Sebastian Ickler 2014-10-06 07:16:14 UTC

[root@host ~]# logrotate -v
logrotate 3.8.6 - Copyright (C) 1995-2001 Red Hat, Inc.
This may be freely redistributed under the terms of the GNU Public License

Comment 8 Sebastian Ickler 2014-10-06 07:17:11 UTC

Whoops, I'm a bit trigger-happy today... :)

[root@host ~]# rpm -qa |grep logrotate
logrotate-3.8.6-4.el7.x86_64

Comment 9 Adrian Likins 2014-10-09 20:10:10 UTC

pr at https://github.com/candlepin/candlepin/pull/734

Comment 11 Michael Stead 2015-02-19 13:49:21 UTC

Looks like this was fixed as per Comment 9

Comment 12 Michael Stead 2015-04-07 18:08:32 UTC

*** Bug 1190943 has been marked as a duplicate of this bug. ***

Comment 13 Tazim Kolhar 2015-04-27 09:29:02 UTC

hi

please provide verification steps

thanks

Comment 14 Adrian Likins 2015-05-12 14:24:37 UTC

1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin
(See successful logrotate)

Comment 15 Tazim Kolhar 2015-06-15 10:41:08 UTC

VERIFIED:
Install Satellite 6.0.4 from the iso

steps
1. Install candlepin 0.9.32-1 or older on a RHEL 7 Server.
   (candlepin-0.9.23-1.el7.noarch.rpm is in Satellite-6.0.4 mentioned in bug)

2. Verify /var/log/candlepin is owned tomcat.tomcat.
3. Install logrotate-3.8.6-4.el7.x86_64
4. sudo logrotate -v -f /etc/logrotate/candlepin
(See errors in description)


1. Install updates
2. sudo logrotate -v -f /etc/logrotate/candlepin

successful logrotate

Comment 16 Bryan Kearney 2015-08-11 13:22:18 UTC

This bug is slated to be released with Satellite 6.1.

Comment 17 Bryan Kearney 2015-08-12 13:57:41 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Comment 18 Pradeep Kumar Surisetty 2015-11-21 18:30:56 UTC

This is reproducible on latest release too. 6.1.4 on RHEL 7.1
Seems like regression. 

candlepin version
candlepin-0.9.49.9-1.el7.noarch

logrotate version
logrotate-3.8.6-4.el7.x86_64

logrotate -v -f /etc/logrotate.d/candlepin
---%<---

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/candlepin.log
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpdb.log
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/cpinit.log
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/candlepin/error.log
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
set default create context

---%<---


stat /var/log/tomcat/ /var/log/candlepin/
  File: ‘/var/log/tomcat/’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222189579  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (   91/  tomcat)
Context: system_u:object_r:tomcat_log_t:s0
Access: 2015-03-24 19:50:20.000000000 -0400
Modify: 2015-11-17 02:29:38.120996953 -0500
Change: 2015-11-17 02:36:04.204524070 -0500
 Birth: -
  File: ‘/var/log/candlepin/’
  Size: 90        	Blocks: 0          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 3222083551  Links: 2
Access: (0775/drwxrwxr-x)  Uid: (   91/  tomcat)   Gid: (   91/  tomcat)
Context: system_u:object_r:var_log_t:s0
Access: 2015-11-21 03:35:01.259569143 -0500
Modify: 2015-11-17 02:39:11.311152755 -0500
Change: 2015-11-17 02:39:11.311152755 -0500
 Birth: -

Comment 20 Bryan Kearney 2016-05-16 14:23:42 UTC

This requires candlepin 0.9.54.6 or later.

Comment 21 Bryan Kearney 2016-05-16 15:45:33 UTC

Moving to POST, please pull in 0.9.54.6.

Comment 23 Corey Welton 2016-06-07 20:42:06 UTC

Closing this as it is effectively a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1212955

*** This bug has been marked as a duplicate of bug 1212955 ***

Note You need to log in before you can comment on or make changes to this bug.