Project

General

Profile

Actions

Bug #4445

closed

Wrong permissions slapd.log after logrotate

Added by Dennis Cabooter almost 11 years ago. Updated over 10 years ago.

Status:
Released
Priority:
1 (highest)
Assignee:
Jonathan CLARKE
Category:
System techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

The slapd.log file has the wrong permissions after a logrotate.

# ls -al /var/log/rudder/ldap/
total 232
drwxr-xr-x 2 root   root   4096 Feb  6 06:28 .
drwxr-xr-x 8 root   root   4096 Apr 25  2013 ..
-rw-r----- 1 root   adm       0 Feb  6 06:28 slapd.log
-rw-r--r-- 1 syslog adm  224657 Feb  6 06:25 slapd.log.1

As you can see slapd.log is 0 size due to wrong permissions.

The logrotate sets the wrong permissions, because of this:

# head -36 /etc/logrotate.d/rudder | tail -16
/var/log/rudder/ldap/slapd.log {
        ...
        create 640 root adm
        ...
}

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #4549: Mismatch of group permission between log files and logrotate configurationRejectedAlexis MoussetActions
Related to Rudder - Bug #4551: Initial logrotate configuration (from initial-promises) does not include recent fixesReleasedNicolas CHARLES2014-03-05Actions
Actions #1

Updated by François ARMAND almost 11 years ago

  • Status changed from New to 8
  • Assignee set to Matthieu CERDA
  • Priority changed from N/A to 1 (highest)

Good catch, thanks.

Matthieu, could you look for the first version of that bug, and correct it ? Denis analysis seems OK, so it should be a matter of minutes.

Actions #2

Updated by Dennis Cabooter almost 11 years ago

Yesterday I edited /etc/logrotate.d/rudder, so new logs will be owned by syslog:adm instead of root:adm. However, Rudder changed it back. For now I will edit the file again and set the immutable bit on it.

Actions #3

Updated by Jonathan CLARKE almost 11 years ago

  • Status changed from 8 to Discussion
  • Assignee changed from Matthieu CERDA to Dennis Cabooter

I don't see any problem here. slapd runs as root, so it is correct that the file shuold belong to root.

However, slapd rarely writes to it's log file. Maybe this is why you see this?

Could you try resetting the logrotate config to it's initial value, and then after there has been a logroate and you see a 0 byte sized file, run "/etc/init.d/slapd status"? This should output some lines in the file.

If not, I can't reproduce this, it works OK for me (on Debian 6).

Actions #4

Updated by Dennis Cabooter almost 11 years ago

Please try it on Ubuntu 12.04 to. Ubuntu 12.04 != Debian 6. Nothing is written to the slapd log with root perms.

Actions #5

Updated by Dennis Cabooter almost 11 years ago

Hi Jooooooon. :)

There are more logs 0 size:

reports/all.log
reports/extLinuxReport.log
reports/linuxlog.log
reports/winlog.log
core/rudder-webapp.log
compliance/non-compliant-reports.log

But maybe they don't write too much. Slapd will always log when restarted. But not if the log file is owned by root.

Actions #6

Updated by Nicolas CHARLES over 10 years ago

  • Category set to System techniques
  • Status changed from Discussion to 8
  • Assignee changed from Dennis Cabooter to Nicolas CHARLES

I do confirm the issue

On debian, the user running syslog is root

ps  -aux | grep syslog
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root      1795  0.0  0.0   9616   884 pts/1    S+   18:42   0:00 grep syslog
root     25632  0.0  0.2 200596  5004 ?        Sl   Jan23  17:50 /usr/sbin/rsyslogd -c4

while on ubuntu it is not

root@server:/var/log/rudder/reports#  ps  -aux | grep syslog
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
syslog   14309  0.0  0.3  55572  4708 ?        Sl   17:36   0:00 rsyslogd -c5
root     14850  0.0  0.0   3912   832 pts/0    S+   17:42   0:00 grep --color=auto syslog

We need a separate logrotate file for ubuntu

Actions #7

Updated by Nicolas CHARLES over 10 years ago

  • Target version set to 2.6.11
Actions #8

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from 8 to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/306
Actions #9

Updated by Nicolas CHARLES over 10 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset policy-templates:commit:f0b04c1e5d0b5bc2df26d59d1c14576c42dcfc4b.

Actions #10

Updated by Jonathan CLARKE over 10 years ago

Applied in changeset policy-templates:commit:85e97e8ac81f3c7036869db1504ed5cf686bc27a.

Actions #11

Updated by Jonathan CLARKE over 10 years ago

This is now fixed (in the next minor releases to come). However, I noticed that the logrotate configs from initial-promises was somewhat out of sync with that of the techniques. This needs syncing, so I created #4551.

Actions #12

Updated by Vincent MEMBRÉ over 10 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.6.11, which was released today.
Check out:

Actions

Also available in: Atom PDF