If nsslapd-errorlog-mode is set to 644, slapd is shut down, errors log removed, and slapd is started, then the new log might get permissions 600. This is happening because the front end processing of the configuration attributes in cn=config happens in an order that can't be relied upon. If it processes nsslapd-errorlog before nsslapd-errorlog-mode, then it creates the log file with the default permissions (600). This is true for access and audit logs too.
Created attachment 357960 [details] trivial fix proposal This fix makes the function that processes the nsslapd-{access|error|audit}log-mode attribute also perform a chown, if it has already processed the nsslapd-{access|error|audit}log attribute. If it has not yet processed the nsslapd-{access|error|audit}log attribute then it wont perform the chown since it doesn't yet know the file name of the log file, and anyway the mode will be correct when the nsslapd-{access|error|audit}log attribute is processed and the log file is opened. A side effect of this fix is that we can now change mode on open log files on the fly. Previously, setting nsslapd-{access|error|audit}log-mode would only affect new files but now it will also take effect for the log file currently in use.
Created attachment 362149 [details] revised patch
To ssh://git.fedorahosted.org/git/389/ds.git 60c49dd..56b9868 master -> master commit 56b9868c2fca5a56b11a4d0a9387980b6f338835 Author: Rich Megginson <rmeggins> Date: Tue Sep 22 17:04:19 2009 -0600 Reviewed by: nkinder (Thanks!) Fix Description: Try to apply the mode using chmod() if a log file has been specified. If and only if the log file has not been set, or if the chmod() succ eeds, apply the changes to the internal config. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
verified - RHEL 4 and Solaris version - Solaris: 8.2.0,REV=2010.06.07.04.34.53 RHEL 4: redhat-ds-base-8.2.0-2010060704.el4dsrv Solaris: bash-2.05# /etc/init.d/dirsrv stop Shutting down dirsrv: sun-netra-01... SUCCESS Solaris: bash-2.05# rm -rf /var/log/dirsrv/slapd-sun-netra-01/* bash-2.05# /etc/init.d/dirsrv start Starting dirsrv: sun-netra-01... SUCCESS bash-2.05# ls -al /var/log/dirsrv/slapd-sun-netra-01/ total 12 drwxrwx--- 2 nobody nobody 512 Jun 7 16:08 . drwxr-xr-x 4 root other 512 Jun 7 15:59 .. -rw------- 1 nobody other 0 Jun 7 16:08 access -rw------- 1 nobody other 63 Jun 7 16:08 access.rotationinfo -rw------- 1 nobody other 0 Jun 7 16:08 audit -rw------- 1 nobody other 63 Jun 7 16:08 audit.rotationinfo -rw------- 1 nobody other 297 Jun 7 16:08 errors -rw------- 1 nobody other 63 Jun 7 16:08 errors.rotationinfo RHEL 4: [root@jgalipea-rhel4 ~]# ls -al /var/log/dirsrv/slapd-jgalipea-rhel4/ total 56 drwxrwx--- 2 nobody nobody 4096 Jun 7 16:14 . drwxr-xr-x 4 root root 4096 Jun 7 04:22 .. -rw------- 1 nobody root 0 Jun 7 16:14 access -rw------- 1 nobody root 63 Jun 7 16:14 access.rotationinfo -rw------- 1 nobody root 0 Jun 7 16:14 audit -rw------- 1 nobody root 63 Jun 7 16:14 audit.rotationinfo -rw------- 1 nobody root 388 Jun 7 16:14 errors -rw------- 1 nobody root 63 Jun 7 16:14 errors.rotationinfo [root@jgalipea-rhel4 ~]# service dirsrv stop Shutting down dirsrv: jgalipea-rhel4... [ OK ] [root@jgalipea-rhel4 ~]# rm -rf /var/log/dirsrv/slapd-jgalipea-rhel4/* [root@jgalipea-rhel4 ~]# service dirsrv start Starting dirsrv: jgalipea-rhel4... [ OK ] [root@jgalipea-rhel4 ~]# ls -al /var/log/dirsrv/slapd-jgalipea-rhel4/ total 56 drwxrwx--- 2 nobody nobody 4096 Jun 7 16:14 . drwxr-xr-x 4 root root 4096 Jun 7 04:22 .. -rw------- 1 nobody root 0 Jun 7 16:14 access -rw------- 1 nobody root 63 Jun 7 16:14 access.rotationinfo -rw------- 1 nobody root 0 Jun 7 16:14 audit -rw------- 1 nobody root 63 Jun 7 16:14 audit.rotationinfo -rw------- 1 nobody root 388 Jun 7 16:14 errors -rw------- 1 nobody root 63 Jun 7 16:14 errors.rotationinfo