Description of problem: ------------------------ logrotate is complaining about rotating ganesha logs coz of insecure permissions : <snip> Content-Type: text/plain; charset="UTF-8" Subject: Anacron job 'cron.daily' on gqas007.sbu.lab.eng.bos.redhat.com /etc/cron.daily/logrotate: error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. error: skipping "/var/log/ganesha/ganesha-gfapi.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. </snip> [root@gqas013 ~]# ls -ld /var/log/ganesha/ drwxrwxr-x. 2 ganesha ganesha 50 Mar 22 10:15 /var/log/ganesha/ [root@gqas013 ~]# ls -ld /var/log/ganesha/ganesha.log -rw-r--r--. 1 root root 269817 Mar 23 05:55 /var/log/ganesha/ganesha.log [root@gqas013 ~]# Version-Release number of selected component (if applicable): ------------------------------------------------------------- glusterfs-ganesha-3.12.2-5.el7rhgs.x86_64 nfs-ganesha-gluster-2.5.5-3.el7rhgs.x86_64 How reproducible: ------------------ 100%
Missing su here : [root@gqas013 ~]# cat /etc/logrotate.d/ganesha /var/log/ganesha/ganesha.log { weekly rotate 52 copytruncate dateext compress missingok } [root@gqas013 ~]# cat /etc/logrotate.d/ganesha-gfapi /var/log/ganesha/ganesha-gfapi.log { weekly rotate 52 copytruncate dateext compress missingok } [root@gqas013 ~]#
Would adding su ganesha ganesha fix it? (I can give this a try later today)
Yeah u can try that. Make sure add it in the beginning. Perform systemctl daemon-load post that. Then see whether log rotate works using logrotate command logrotate -f /etc/logrotate.d/ganesha
I'll have this by Thurs EOD.
This doesnt seem to work : [root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha error: error opening /var/log/ganesha/ganesha.log: Permission denied [root@gqas016 ~]# [root@gqas016 ~]# cat /etc/logrotate.d/ganesha /var/log/ganesha/ganesha.log { su ganesha ganesha weekly rotate 52 copytruncate dateext compress missingok }
Anything else i can try?
I will set the mode correctly on the directory in the next build. Please give qe ack (and hopefully we get the auto pm ack) so I can mark this BZ as Resolved
adding "su ganesha ganesha" won't/doesn't work. It needs to be "su root ganesha", at least until we have ganesha running as non-root. Or we can change the perms on /var/log/ganesha to 0755 (currently at 0775). The latter is a simple fix to the mkdir in the rpm .spec file.
(In reply to Kaleb KEITHLEY from comment #8) > I will set the mode correctly on the directory in the next build. > > Please give qe ack (and hopefully we get the auto pm ack) so I can mark this > BZ as Resolved So u are suggesting the issue happened because of the mode for the directory 775 not because it is owned by ganesha user. I didn't understand why "su root ganesha" works but "su ganesha ganesha", Currently /var/log/ganesha is owned by "ganesha ganesha" and if understand option su, it mentions "su user group", so ideally it need to "su ganesha ganesha" IMO.
I don't see anything in the logrotate.conf man page that says user must be the same as the group, or the same os the log file owner. AFAICT, "su root ganesha" is not wrong. (And log rotation works with it.) And I still think changing the perms on /var/log/ganesha to 0755 is the simpler/better fix.
I can confirm that adding "su root ganesha" works : **DEFAULTS ** : [root@gqas016 ~]# cat /etc/logrotate.d/ganesha /var/log/ganesha/ganesha.log { weekly rotate 52 copytruncate dateext compress missingok } [root@gqas016 ~]# [root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@gqas016 ~]# ** ADD su root ganesha ** : [root@gqas016 ~]# cat /etc/logrotate.d/ganesha /var/log/ganesha/ganesha.log { weekly rotate 52 copytruncate dateext compress missingok su root ganesha } [root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha [root@gqas016 ~]#
Changing permissions for /var/log/ganesha works as well (i understand that's the easier fix) . I hope it doesnt cause any other problems: [root@gqas016 ~]# chmod 0777 /var/log/ganesha/ [root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. [root@gqas016 ~]# [root@gqas016 ~]# chmod 0755 /var/log/ganesha/ [root@gqas016 ~]# [root@gqas016 ~]# logrotate -f /etc/logrotate.d/ganesha [root@gqas016 ~]#
Able to repro the issue with # rpm -qa | grep ganesha glusterfs-ganesha-3.12.2-7.el7rhgs.x86_64 nfs-ganesha-2.5.5-4.el7rhgs.x86_64 nfs-ganesha-gluster-2.5.5-4.el7rhgs.x86_64 # ll | grep ganesha drwxrwxr-x. 2 ganesha ganesha 50 Apr 9 16:31 ganesha # ll ganesha/ total 120 -rw-------. 1 root root 95006 Apr 9 16:30 ganesha-gfapi.log -rw-r--r--. 1 root root 23792 Apr 9 16:32 ganesha.log # logrotate -f /etc/logrotate.d/ganesha error: skipping "/var/log/ganesha/ganesha.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. # logrotate -f /etc/logrotate.d/ganesha-gfapi error: skipping "/var/log/ganesha/ganesha-gfapi.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. # cat /etc/logrotate.d/ganesha /var/log/ganesha/ganesha.log { weekly rotate 52 copytruncate dateext compress missingok } [root@dhcp37-191 log]# cat /etc/logrotate.d/ganesha-gfapi /var/log/ganesha/ganesha-gfapi.log { weekly rotate 52 copytruncate dateext compress missingok } Moving this BZ to assigned state.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2610