1696777 – Logrotate permissions for rhn-proxy prevent execution

Bug 1696777 - Logrotate permissions for rhn-proxy prevent execution

Summary: Logrotate permissions for rhn-proxy prevent execution

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Proxy Server
Sub Component:
Version:	2.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Michael Mráka
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space210
TreeView+	depends on / blocked

Reported:	2019-04-05 15:33 UTC by heming.gu
Modified:	2020-03-23 12:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:	spacewalk-proxy-2.10.5-1
Clone Of:
Environment:
Last Closed:	2020-03-23 12:01:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description heming.gu 2019-04-05 15:33:38 UTC

Description of problem:

$ /etc/cron.daily/logrotate
error: Ignoring rhn-proxy-broker because of bad file mode - must be 0644 or 0444.
error: Ignoring rhn-proxy-redirect because of bad file mode - must be 0644 or 0444.

$ ls -l /etc/logrotate.d/rhn-proxy*
-rw-rw-r--. 1 root root 174 Nov 27 03:13 /etc/logrotate.d/rhn-proxy-broker
-rw-rw-r--. 1 root root 178 Nov 27 03:13 /etc/logrotate.d/rhn-proxy-redirect

After chmodding the logrotate configuration files to 0644, the following error the appears:

$ /etc/cron.daily/logrotate
error: skipping "/var/log/rhn/rhn_proxy_broker.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/rhn/rhn_proxy_redirect.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

$ ls -lah /var/log/rhn/
total 8.6G
drwxrwx---.  2 root   apache   64 Jan 23 06:16 .
drwxr-xr-x. 15 root   root   4.0K Apr  5 11:07 ..
-rw-rw----.  1 apache apache 8.3G Apr  5 11:33 rhn_proxy_broker.log
-rw-rw----.  1 apache apache 9.0M Apr  5 11:00 rhn_proxy_redirect.log



Version-Release number of selected component (if applicable):

spacewalk-proxy-broker-2.9.2-1.el7.noarch
spacewalk-proxy-redirect-2.9.2-1.el7.noarch

How reproducible:
Testing was performed on a CentOS 7 server with Spacewalk Proxy 2.9.2-1.

Comment 1 Justin Maughmer 2019-09-19 15:09:11 UTC

Issue still present in 2.9.3-1 on RHEL 7.7.

spacewalk-proxy-broker-2.9.3-1.el7.noarch
spacewalk-proxy-redirect-2.9.3-1.el7.noarch

Comment 2 Michael Mráka 2020-03-13 10:51:00 UTC

Fixed in spacewalk git by
commit 72c52def6ecfbcf68d79a49cfb782f886ba3580d
    1696777 - fixed su directive
commit bab0a6fe73ac9c53f7a174c7f6eeb35fb33caab4
    1696777 - fixed file mode

Comment 3 Michael Mráka 2020-03-23 12:01:45 UTC

Spacewalk 2.10 has been released.
https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes210

Note You need to log in before you can comment on or make changes to this bug.