Red Hat Bugzilla – Bug 1266105
Logrotate for nginx broken due to new "su" directive in logrotate.
Last modified: 2015-09-24 13:10:48 EDT
Description of problem: Logrotate for nginx is broken with the following error: error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. I could not find any solid guidance on the use of "su" in logrotation configs. My attempts to experiment seemed to break things even more. Version-Release number of selected component (if applicable): Nginx Arch : x86_64 Epoch : 1 Version : 1.6.3 Release : 6.el7 Logrotate Arch : x86_64 Version : 3.8.6 Release : 4.el7 How reproducible: Easy to reproduce Steps to Reproduce: 1. Install stock Nginx 2. Fill up /var/log/access.log and /var/log/error.log 3. $logrotate -d /etc/logrotate.d/nginx Actual results: [root@foo ~]# logrotate -d /etc/logrotate.d/nginx reading config file /etc/logrotate.d/nginx Handling 1 logs rotating pattern: /var/log/nginx/*log after 1 days (10 rotations) empty log files are not rotated, old logs are removed considering log /var/log/nginx/access.log error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. considering log /var/log/nginx/error.log error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. Expected results: properly rotated logs Additional info:
Please post the output of this command: # ls -la /var/log/nginx/ I'm only able to reproduce this problem after explicitly running `chmod 777 /var/log/nginx`, so my guess is that the permissions for your /var/log/nginx directory are not the default.
[root@ip-10-141-12-10 log]# ls -la /var/log/nginx/ total 264 drwx------. 2 nginx nginx 39 Sep 24 13:05 . drwxr-xr-x. 9 root root 4096 Sep 24 13:00 .. -rw-r--r--. 1 root root 92114 Sep 24 14:31 access.log -rw-r--r--. 1 root root 171747 Sep 24 13:13 error.log
Actually, I am seeing this problem on one of our boxes. I managed to reproduce it on a clean instance but now, of course, on the newest instance I've created things are working ok. Sorry about that. pebkac. I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have changed it to 700 to match the test box and now I see the below error. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwx------. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 21862030 Sep 24 15:33 access.log -rw-r--r--. 1 nginx nginx 11369804 Sep 24 15:33 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 12:12 tracking [root@tracktor-prod-a-041 log]# logrotate -d /etc/logrotate.d/nginx reading config file /etc/logrotate.d/nginx Handling 1 logs rotating pattern: /var/log/nginx/*log after 1 days (10 rotations) empty log files are not rotated, old logs are removed considering log /var/log/nginx/access.log log needs rotating considering log /var/log/nginx/error.log log needs rotating rotating log /var/log/nginx/access.log, log->rotateCount is 10 dateext suffix '-20150924' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /var/log/nginx/access.log.10.gz to /var/log/nginx/access.log.11.gz (rotatecount 10, logstart 1, i 10), renaming /var/log/nginx/access.log.9.gz to /var/log/nginx/access.log.10.gz (rotatecount 10, logstart 1, i 9), renaming /var/log/nginx/access.log.8.gz to /var/log/nginx/access.log.9.gz (rotatecount 10, logstart 1, i 8), renaming /var/log/nginx/access.log.7.gz to /var/log/nginx/access.log.8.gz (rotatecount 10, logstart 1, i 7), renaming /var/log/nginx/access.log.6.gz to /var/log/nginx/access.log.7.gz (rotatecount 10, logstart 1, i 6), renaming /var/log/nginx/access.log.5.gz to /var/log/nginx/access.log.6.gz (rotatecount 10, logstart 1, i 5), renaming /var/log/nginx/access.log.4.gz to /var/log/nginx/access.log.5.gz (rotatecount 10, logstart 1, i 4), renaming /var/log/nginx/access.log.3.gz to /var/log/nginx/access.log.4.gz (rotatecount 10, logstart 1, i 3), renaming /var/log/nginx/access.log.2.gz to /var/log/nginx/access.log.3.gz (rotatecount 10, logstart 1, i 2), renaming /var/log/nginx/access.log.1.gz to /var/log/nginx/access.log.2.gz (rotatecount 10, logstart 1, i 1), renaming /var/log/nginx/access.log.0.gz to /var/log/nginx/access.log.1.gz (rotatecount 10, logstart 1, i 0), rotating log /var/log/nginx/error.log, log->rotateCount is 10 dateext suffix '-20150924' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' renaming /var/log/nginx/error.log.10.gz to /var/log/nginx/error.log.11.gz (rotatecount 10, logstart 1, i 10), renaming /var/log/nginx/error.log.9.gz to /var/log/nginx/error.log.10.gz (rotatecount 10, logstart 1, i 9), renaming /var/log/nginx/error.log.8.gz to /var/log/nginx/error.log.9.gz (rotatecount 10, logstart 1, i 8), renaming /var/log/nginx/error.log.7.gz to /var/log/nginx/error.log.8.gz (rotatecount 10, logstart 1, i 7), renaming /var/log/nginx/error.log.6.gz to /var/log/nginx/error.log.7.gz (rotatecount 10, logstart 1, i 6), renaming /var/log/nginx/error.log.5.gz to /var/log/nginx/error.log.6.gz (rotatecount 10, logstart 1, i 5), renaming /var/log/nginx/error.log.4.gz to /var/log/nginx/error.log.5.gz (rotatecount 10, logstart 1, i 4), renaming /var/log/nginx/error.log.3.gz to /var/log/nginx/error.log.4.gz (rotatecount 10, logstart 1, i 3), renaming /var/log/nginx/error.log.2.gz to /var/log/nginx/error.log.3.gz (rotatecount 10, logstart 1, i 2), renaming /var/log/nginx/error.log.1.gz to /var/log/nginx/error.log.2.gz (rotatecount 10, logstart 1, i 1), renaming /var/log/nginx/error.log.0.gz to /var/log/nginx/error.log.1.gz (rotatecount 10, logstart 1, i 0), fscreate context set to system_u:object_r:httpd_log_t:s0 renaming /var/log/nginx/access.log to /var/log/nginx/access.log.1 creating new /var/log/nginx/access.log mode = 0644 uid = 997 gid = 995 fscreate context set to system_u:object_r:httpd_log_t:s0 renaming /var/log/nginx/error.log to /var/log/nginx/error.log.1 creating new /var/log/nginx/error.log mode = 0644 uid = 997 gid = 995 running postrotate script running script with arg /var/log/nginx/*log : " /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true " compressing log with: /bin/gzip removing old log /var/log/nginx/access.log.11.gz error: error opening /var/log/nginx/access.log.11.gz: No such file or directory
Those errors can be ignored and are a consequence of not using the full logrotate configuration file (which includes the dateext option). Try a dry-run with the full logrotate configuration instead and you shouldn't see any errors: # logrotate -d -f /etc/logrotate.conf Then try rotating for real and the nginx logs should be rotated: # logrotate -f /etc/logrotate.conf
Also, it should still work with `logrotate -f /etc/logrotate.d/nginx` despite the error message.
[root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25183610 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13179052 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.d/nginx error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25202598 Sep 24 15:51 access.log -rw-r--r--. 1 nginx nginx 13187444 Sep 24 15:51 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking
[root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 20 03:45 .. -rw-r--r--. 1 nginx nginx 25330817 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13267932 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking You have new mail in /var/spool/mail/centos [root@tracktor-prod-a-041 nginx]# logrotate -f /etc/logrotate.conf error: skipping "/var/log/nginx/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/nginx/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@tracktor-prod-a-041 nginx]# ls -la total 44500 drwxrwx---. 3 nginx nginx 54 Sep 14 09:37 . drwxr-xr-x. 10 root root 4096 Sep 24 15:52 .. -rw-r--r--. 1 nginx nginx 25373079 Sep 24 15:52 access.log -rw-r--r--. 1 nginx nginx 13292871 Sep 24 15:52 error.log drwxrwx---. 2 nginx nginx 4096 Sep 24 15:49 tracking
Deja vu! ;-) (Andrew Holway from comment #3) > I noticed that, on the box with this "bug" /var/log/nginx was on 770. I have > changed it to 700 to match the test box