Bug 1266105 - Logrotate for nginx broken due to new "su" directive in logrotate.
Logrotate for nginx broken due to new "su" directive in logrotate.
Status: CLOSED NOTABUG
Product: Fedora EPEL
Classification: Fedora
Component: nginx (Show other bugs)
epel7
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jamie Nguyen
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-24 09:32 EDT by Andrew Holway
Modified: 2015-09-24 13:10 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-24 13:10:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Holway 2015-09-24 09:32:52 EDT
Description of problem:

Logrotate for nginx is broken with the following error:

error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

I could not find any solid guidance on the use of "su" in logrotation configs. My attempts to experiment seemed to break things even more. 

Version-Release number of selected component (if applicable):

Nginx
Arch        : x86_64
Epoch       : 1
Version     : 1.6.3
Release     : 6.el7

Logrotate
Arch        : x86_64
Version     : 3.8.6
Release     : 4.el7

How reproducible:

Easy to reproduce

Steps to Reproduce:
1. Install stock Nginx
2. Fill up /var/log/access.log and /var/log/error.log
3. $logrotate -d /etc/logrotate.d/nginx

Actual results:

[root@foo ~]# logrotate -d /etc/logrotate.d/nginx
reading config file /etc/logrotate.d/nginx

Handling 1 logs

rotating pattern: /var/log/nginx/*log  after 1 days (10 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/nginx/access.log
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/nginx/error.log
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Expected results:

properly rotated logs

Additional info:
Comment 1 Jamie Nguyen 2015-09-24 11:02:28 EDT
Please post the output of this command:

  # ls -la /var/log/nginx/

I'm only able to reproduce this problem after explicitly running `chmod 777 /var/log/nginx`, so my guess is that the permissions for your /var/log/nginx directory are not the default.
Comment 2 Andrew Holway 2015-09-24 11:23:11 EDT
[root@ip-10-141-12-10 log]# ls -la /var/log/nginx/
total 264
drwx------. 2 nginx nginx     39 Sep 24 13:05 .
drwxr-xr-x. 9 root  root    4096 Sep 24 13:00 ..
-rw-r--r--. 1 root  root   92114 Sep 24 14:31 access.log
-rw-r--r--. 1 root  root  171747 Sep 24 13:13 error.log
Comment 3 Andrew Holway 2015-09-24 11:37:29 EDT
Actually, I am seeing this problem on one of our boxes. I managed to reproduce it on a clean instance but now, of course, on the newest instance I've created things are working ok. Sorry about that. pebkac.

I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have changed it to 700 to match the test box and now I see the below error.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwx------.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 21862030 Sep 24 15:33 access.log
-rw-r--r--.  1 nginx nginx 11369804 Sep 24 15:33 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 12:12 tracking


[root@tracktor-prod-a-041 log]# logrotate -d /etc/logrotate.d/nginx 
reading config file /etc/logrotate.d/nginx

Handling 1 logs

rotating pattern: /var/log/nginx/*log  after 1 days (10 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/nginx/access.log
  log needs rotating
considering log /var/log/nginx/error.log
  log needs rotating
rotating log /var/log/nginx/access.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/access.log.10.gz to /var/log/nginx/access.log.11.gz (rotatecount 10, logstart 1, i 10), 
renaming /var/log/nginx/access.log.9.gz to /var/log/nginx/access.log.10.gz (rotatecount 10, logstart 1, i 9), 
renaming /var/log/nginx/access.log.8.gz to /var/log/nginx/access.log.9.gz (rotatecount 10, logstart 1, i 8), 
renaming /var/log/nginx/access.log.7.gz to /var/log/nginx/access.log.8.gz (rotatecount 10, logstart 1, i 7), 
renaming /var/log/nginx/access.log.6.gz to /var/log/nginx/access.log.7.gz (rotatecount 10, logstart 1, i 6), 
renaming /var/log/nginx/access.log.5.gz to /var/log/nginx/access.log.6.gz (rotatecount 10, logstart 1, i 5), 
renaming /var/log/nginx/access.log.4.gz to /var/log/nginx/access.log.5.gz (rotatecount 10, logstart 1, i 4), 
renaming /var/log/nginx/access.log.3.gz to /var/log/nginx/access.log.4.gz (rotatecount 10, logstart 1, i 3), 
renaming /var/log/nginx/access.log.2.gz to /var/log/nginx/access.log.3.gz (rotatecount 10, logstart 1, i 2), 
renaming /var/log/nginx/access.log.1.gz to /var/log/nginx/access.log.2.gz (rotatecount 10, logstart 1, i 1), 
renaming /var/log/nginx/access.log.0.gz to /var/log/nginx/access.log.1.gz (rotatecount 10, logstart 1, i 0), 
rotating log /var/log/nginx/error.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/error.log.10.gz to /var/log/nginx/error.log.11.gz (rotatecount 10, logstart 1, i 10), 
renaming /var/log/nginx/error.log.9.gz to /var/log/nginx/error.log.10.gz (rotatecount 10, logstart 1, i 9), 
renaming /var/log/nginx/error.log.8.gz to /var/log/nginx/error.log.9.gz (rotatecount 10, logstart 1, i 8), 
renaming /var/log/nginx/error.log.7.gz to /var/log/nginx/error.log.8.gz (rotatecount 10, logstart 1, i 7), 
renaming /var/log/nginx/error.log.6.gz to /var/log/nginx/error.log.7.gz (rotatecount 10, logstart 1, i 6), 
renaming /var/log/nginx/error.log.5.gz to /var/log/nginx/error.log.6.gz (rotatecount 10, logstart 1, i 5), 
renaming /var/log/nginx/error.log.4.gz to /var/log/nginx/error.log.5.gz (rotatecount 10, logstart 1, i 4), 
renaming /var/log/nginx/error.log.3.gz to /var/log/nginx/error.log.4.gz (rotatecount 10, logstart 1, i 3), 
renaming /var/log/nginx/error.log.2.gz to /var/log/nginx/error.log.3.gz (rotatecount 10, logstart 1, i 2), 
renaming /var/log/nginx/error.log.1.gz to /var/log/nginx/error.log.2.gz (rotatecount 10, logstart 1, i 1), 
renaming /var/log/nginx/error.log.0.gz to /var/log/nginx/error.log.1.gz (rotatecount 10, logstart 1, i 0), 
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/access.log to /var/log/nginx/access.log.1
creating new /var/log/nginx/access.log mode = 0644 uid = 997 gid = 995
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/error.log to /var/log/nginx/error.log.1
creating new /var/log/nginx/error.log mode = 0644 uid = 997 gid = 995
running postrotate script
running script with arg /var/log/nginx/*log : "
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
"
compressing log with: /bin/gzip
removing old log /var/log/nginx/access.log.11.gz
error: error opening /var/log/nginx/access.log.11.gz: No such file or directory
Comment 4 Jamie Nguyen 2015-09-24 11:48:07 EDT
Those errors can be ignored and are a consequence of not using the full logrotate configuration file (which includes the dateext option). Try a dry-run with the full logrotate configuration instead and you shouldn't see any errors:

  # logrotate -d -f /etc/logrotate.conf

Then try rotating for real and the nginx logs should be rotated:

  # logrotate -f /etc/logrotate.conf
Comment 5 Jamie Nguyen 2015-09-24 11:48:57 EDT
Also, it should still work with `logrotate -f /etc/logrotate.d/nginx` despite the error message.
Comment 6 Andrew Holway 2015-09-24 11:53:22 EDT
[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25183610 Sep 24 15:51 access.log
-rw-r--r--.  1 nginx nginx 13179052 Sep 24 15:51 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking

[root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.d/nginx
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25202598 Sep 24 15:51 access.log
-rw-r--r--.  1 nginx nginx 13187444 Sep 24 15:51 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking
Comment 7 Andrew Holway 2015-09-24 11:54:01 EDT
[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25330817 Sep 24 15:52 access.log
-rw-r--r--.  1 nginx nginx 13267932 Sep 24 15:52 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking
You have new mail in /var/spool/mail/centos
  
[root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.conf 
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 24 15:52 ..
-rw-r--r--.  1 nginx nginx 25373079 Sep 24 15:52 access.log
-rw-r--r--.  1 nginx nginx 13292871 Sep 24 15:52 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking
Comment 8 Jamie Nguyen 2015-09-24 12:11:03 EDT
Deja vu! ;-)

(Andrew Holway from comment #3)
> I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have
> changed it to 700 to match the test box

Note You need to log in before you can comment on or make changes to this bug.