1310173 – Candlepin logrotate reports insecure permissions

Bug 1310173 - Candlepin logrotate reports insecure permissions

Summary: Candlepin logrotate reports insecure permissions

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Candlepin
Classification:	Community
Component:	candlepin
Sub Component:
Version:	0.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	William Poteat
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1142677 1212955
TreeView+	depends on / blocked

Reported:	2016-02-19 16:28 UTC by Barnaby Court
Modified:	2016-05-16 14:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-05-16 14:22:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Barnaby Court 2016-02-19 16:28:20 UTC

logrotate reports the following message when performing some Satellite related logfiles:

---%<---

/etc/cron.daily/logrotate:

error: skipping "/var/log/candlepin/audit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/candlepin.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpdb.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/cpinit.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/candlepin/error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/tomcat/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

---%<---

Seems like there is a parameter in the config files missing.

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL7

How reproducible:
Install Satellite 6.0.4
Wait for the daily logrotate or run "logrotate /var/log/candlepin

Additional info:

Work around documented at https://access.redhat.com/solutions/1597913

Comment 1 Barnaby Court 2016-02-26 19:25:12 UTC

Raising the priority due to the number of upstream issues & customer cases.

Comment 2 William Poteat 2016-03-04 20:19:16 UTC

Fixed across branches:

Hotfix 0.9.49: 2b916f8f8206aa613dcb3db0df55b49526cc469e
Hotfix 0.9.51: c09bb13a312b0c424ac3eae66d92a131a805b70b
Hotfix 0.9.54: 0dca12dde4274360c4d18ff014a62b14c3c0eae5
Master: 2ed3433638f23378d830858349ad71f989e48ad9

Comment 3 William Poteat 2016-03-07 13:52:52 UTC

/var/log/tomcat/catalina.out logrotate is not set by the Candlepin process. Will need to be fixed elsewhere.

Comment 4 Mike McCune 2016-03-28 23:46:11 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 5 Barnaby Court 2016-05-16 14:22:17 UTC

Fixed in 0.9.54.6

Note You need to log in before you can comment on or make changes to this bug.