Bug 1266105 - Logrotate for nginx broken due to new "su" directive in logrotate.
Summary: Logrotate for nginx broken due to new "su" directive in logrotate.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nginx
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-24 13:32 UTC by Andrew Holway
Modified: 2020-11-05 09:38 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-24 17:10:48 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Andrew Holway 2015-09-24 13:32:52 UTC
Description of problem:

Logrotate for nginx is broken with the following error:

error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

I could not find any solid guidance on the use of "su" in logrotation configs. My attempts to experiment seemed to break things even more. 

Version-Release number of selected component (if applicable):

Nginx
Arch        : x86_64
Epoch       : 1
Version     : 1.6.3
Release     : 6.el7

Logrotate
Arch        : x86_64
Version     : 3.8.6
Release     : 4.el7

How reproducible:

Easy to reproduce

Steps to Reproduce:
1. Install stock Nginx
2. Fill up /var/log/access.log and /var/log/error.log
3. $logrotate -d /etc/logrotate.d/nginx

Actual results:

[root@foo ~]# logrotate -d /etc/logrotate.d/nginx
reading config file /etc/logrotate.d/nginx

Handling 1 logs

rotating pattern: /var/log/nginx/*log  after 1 days (10 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/nginx/access.log
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
considering log /var/log/nginx/error.log
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Expected results:

properly rotated logs

Additional info:

Comment 1 Jamie Nguyen 2015-09-24 15:02:28 UTC
Please post the output of this command:

  # ls -la /var/log/nginx/

I'm only able to reproduce this problem after explicitly running `chmod 777 /var/log/nginx`, so my guess is that the permissions for your /var/log/nginx directory are not the default.

Comment 2 Andrew Holway 2015-09-24 15:23:11 UTC
[root@ip-10-141-12-10 log]# ls -la /var/log/nginx/
total 264
drwx------. 2 nginx nginx     39 Sep 24 13:05 .
drwxr-xr-x. 9 root  root    4096 Sep 24 13:00 ..
-rw-r--r--. 1 root  root   92114 Sep 24 14:31 access.log
-rw-r--r--. 1 root  root  171747 Sep 24 13:13 error.log

Comment 3 Andrew Holway 2015-09-24 15:37:29 UTC
Actually, I am seeing this problem on one of our boxes. I managed to reproduce it on a clean instance but now, of course, on the newest instance I've created things are working ok. Sorry about that. pebkac.

I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have changed it to 700 to match the test box and now I see the below error.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwx------.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 21862030 Sep 24 15:33 access.log
-rw-r--r--.  1 nginx nginx 11369804 Sep 24 15:33 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 12:12 tracking


[root@tracktor-prod-a-041 log]# logrotate -d /etc/logrotate.d/nginx 
reading config file /etc/logrotate.d/nginx

Handling 1 logs

rotating pattern: /var/log/nginx/*log  after 1 days (10 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/nginx/access.log
  log needs rotating
considering log /var/log/nginx/error.log
  log needs rotating
rotating log /var/log/nginx/access.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/access.log.10.gz to /var/log/nginx/access.log.11.gz (rotatecount 10, logstart 1, i 10), 
renaming /var/log/nginx/access.log.9.gz to /var/log/nginx/access.log.10.gz (rotatecount 10, logstart 1, i 9), 
renaming /var/log/nginx/access.log.8.gz to /var/log/nginx/access.log.9.gz (rotatecount 10, logstart 1, i 8), 
renaming /var/log/nginx/access.log.7.gz to /var/log/nginx/access.log.8.gz (rotatecount 10, logstart 1, i 7), 
renaming /var/log/nginx/access.log.6.gz to /var/log/nginx/access.log.7.gz (rotatecount 10, logstart 1, i 6), 
renaming /var/log/nginx/access.log.5.gz to /var/log/nginx/access.log.6.gz (rotatecount 10, logstart 1, i 5), 
renaming /var/log/nginx/access.log.4.gz to /var/log/nginx/access.log.5.gz (rotatecount 10, logstart 1, i 4), 
renaming /var/log/nginx/access.log.3.gz to /var/log/nginx/access.log.4.gz (rotatecount 10, logstart 1, i 3), 
renaming /var/log/nginx/access.log.2.gz to /var/log/nginx/access.log.3.gz (rotatecount 10, logstart 1, i 2), 
renaming /var/log/nginx/access.log.1.gz to /var/log/nginx/access.log.2.gz (rotatecount 10, logstart 1, i 1), 
renaming /var/log/nginx/access.log.0.gz to /var/log/nginx/access.log.1.gz (rotatecount 10, logstart 1, i 0), 
rotating log /var/log/nginx/error.log, log->rotateCount is 10
dateext suffix '-20150924'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
renaming /var/log/nginx/error.log.10.gz to /var/log/nginx/error.log.11.gz (rotatecount 10, logstart 1, i 10), 
renaming /var/log/nginx/error.log.9.gz to /var/log/nginx/error.log.10.gz (rotatecount 10, logstart 1, i 9), 
renaming /var/log/nginx/error.log.8.gz to /var/log/nginx/error.log.9.gz (rotatecount 10, logstart 1, i 8), 
renaming /var/log/nginx/error.log.7.gz to /var/log/nginx/error.log.8.gz (rotatecount 10, logstart 1, i 7), 
renaming /var/log/nginx/error.log.6.gz to /var/log/nginx/error.log.7.gz (rotatecount 10, logstart 1, i 6), 
renaming /var/log/nginx/error.log.5.gz to /var/log/nginx/error.log.6.gz (rotatecount 10, logstart 1, i 5), 
renaming /var/log/nginx/error.log.4.gz to /var/log/nginx/error.log.5.gz (rotatecount 10, logstart 1, i 4), 
renaming /var/log/nginx/error.log.3.gz to /var/log/nginx/error.log.4.gz (rotatecount 10, logstart 1, i 3), 
renaming /var/log/nginx/error.log.2.gz to /var/log/nginx/error.log.3.gz (rotatecount 10, logstart 1, i 2), 
renaming /var/log/nginx/error.log.1.gz to /var/log/nginx/error.log.2.gz (rotatecount 10, logstart 1, i 1), 
renaming /var/log/nginx/error.log.0.gz to /var/log/nginx/error.log.1.gz (rotatecount 10, logstart 1, i 0), 
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/access.log to /var/log/nginx/access.log.1
creating new /var/log/nginx/access.log mode = 0644 uid = 997 gid = 995
fscreate context set to system_u:object_r:httpd_log_t:s0
renaming /var/log/nginx/error.log to /var/log/nginx/error.log.1
creating new /var/log/nginx/error.log mode = 0644 uid = 997 gid = 995
running postrotate script
running script with arg /var/log/nginx/*log : "
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
"
compressing log with: /bin/gzip
removing old log /var/log/nginx/access.log.11.gz
error: error opening /var/log/nginx/access.log.11.gz: No such file or directory

Comment 4 Jamie Nguyen 2015-09-24 15:48:07 UTC
Those errors can be ignored and are a consequence of not using the full logrotate configuration file (which includes the dateext option). Try a dry-run with the full logrotate configuration instead and you shouldn't see any errors:

  # logrotate -d -f /etc/logrotate.conf

Then try rotating for real and the nginx logs should be rotated:

  # logrotate -f /etc/logrotate.conf

Comment 5 Jamie Nguyen 2015-09-24 15:48:57 UTC
Also, it should still work with `logrotate -f /etc/logrotate.d/nginx` despite the error message.

Comment 6 Andrew Holway 2015-09-24 15:53:22 UTC
[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25183610 Sep 24 15:51 access.log
-rw-r--r--.  1 nginx nginx 13179052 Sep 24 15:51 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking

[root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.d/nginx
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25202598 Sep 24 15:51 access.log
-rw-r--r--.  1 nginx nginx 13187444 Sep 24 15:51 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking

Comment 7 Andrew Holway 2015-09-24 15:54:01 UTC
[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 20 03:45 ..
-rw-r--r--.  1 nginx nginx 25330817 Sep 24 15:52 access.log
-rw-r--r--.  1 nginx nginx 13267932 Sep 24 15:52 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking
You have new mail in /var/spool/mail/centos
  
[root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.conf 
error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

[root@tracktor-prod-a-041 nginx]# ls -la
total 44500
drwxrwx---.  3 nginx nginx       54 Sep 14 09:37 .
drwxr-xr-x. 10 root  root      4096 Sep 24 15:52 ..
-rw-r--r--.  1 nginx nginx 25373079 Sep 24 15:52 access.log
-rw-r--r--.  1 nginx nginx 13292871 Sep 24 15:52 error.log
drwxrwx---.  2 nginx nginx     4096 Sep 24 15:49 tracking

Comment 8 Jamie Nguyen 2015-09-24 16:11:03 UTC
Deja vu! ;-)

(Andrew Holway from comment #3)
> I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have
> changed it to 700 to match the test box


Note You need to log in before you can comment on or make changes to this bug.