Project

General

Profile

Bug #4445

Wrong permissions slapd.log after logrotate

Added by Dennis Cabooter over 6 years ago. Updated over 6 years ago.

Status:
Released
Priority:
1
Category:
System techniques
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

The slapd.log file has the wrong permissions after a logrotate.

# ls -al /var/log/rudder/ldap/
total 232
drwxr-xr-x 2 root   root   4096 Feb  6 06:28 .
drwxr-xr-x 8 root   root   4096 Apr 25  2013 ..
-rw-r----- 1 root   adm       0 Feb  6 06:28 slapd.log
-rw-r--r-- 1 syslog adm  224657 Feb  6 06:25 slapd.log.1

As you can see slapd.log is 0 size due to wrong permissions.

The logrotate sets the wrong permissions, because of this:

# head -36 /etc/logrotate.d/rudder | tail -16
/var/log/rudder/ldap/slapd.log {
        ...
        create 640 root adm
        ...
}

Related issues

Related to Rudder - Bug #4549: Mismatch of group permission between log files and logrotate configurationRejectedAlexis MOUSSETActions
Related to Rudder - Bug #4551: Initial logrotate configuration (from initial-promises) does not include recent fixesReleased2014-03-05Nicolas CHARLESActions
#1

Updated by François ARMAND over 6 years ago

  • Status changed from New to 8
  • Assignee set to Matthieu CERDA
  • Priority changed from N/A to 1

Good catch, thanks.

Matthieu, could you look for the first version of that bug, and correct it ? Denis analysis seems OK, so it should be a matter of minutes.

#2

Updated by Dennis Cabooter over 6 years ago

Yesterday I edited /etc/logrotate.d/rudder, so new logs will be owned by syslog:adm instead of root:adm. However, Rudder changed it back. For now I will edit the file again and set the immutable bit on it.

#3

Updated by Jonathan CLARKE over 6 years ago

  • Status changed from 8 to Discussion
  • Assignee changed from Matthieu CERDA to Dennis Cabooter

I don't see any problem here. slapd runs as root, so it is correct that the file shuold belong to root.

However, slapd rarely writes to it's log file. Maybe this is why you see this?

Could you try resetting the logrotate config to it's initial value, and then after there has been a logroate and you see a 0 byte sized file, run "/etc/init.d/slapd status"? This should output some lines in the file.

If not, I can't reproduce this, it works OK for me (on Debian 6).

#4

Updated by Dennis Cabooter over 6 years ago

Please try it on Ubuntu 12.04 to. Ubuntu 12.04 != Debian 6. Nothing is written to the slapd log with root perms.

#5

Updated by Dennis Cabooter over 6 years ago

Hi Jooooooon. :)

There are more logs 0 size:

reports/all.log
reports/extLinuxReport.log
reports/linuxlog.log
reports/winlog.log
core/rudder-webapp.log
compliance/non-compliant-reports.log

But maybe they don't write too much. Slapd will always log when restarted. But not if the log file is owned by root.

#6

Updated by Nicolas CHARLES over 6 years ago

  • Category set to System techniques
  • Status changed from Discussion to 8
  • Assignee changed from Dennis Cabooter to Nicolas CHARLES

I do confirm the issue

On debian, the user running syslog is root

ps  -aux | grep syslog
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root      1795  0.0  0.0   9616   884 pts/1    S+   18:42   0:00 grep syslog
root     25632  0.0  0.2 200596  5004 ?        Sl   Jan23  17:50 /usr/sbin/rsyslogd -c4

while on ubuntu it is not

root@server:/var/log/rudder/reports#  ps  -aux | grep syslog
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
syslog   14309  0.0  0.3  55572  4708 ?        Sl   17:36   0:00 rsyslogd -c5
root     14850  0.0  0.0   3912   832 pts/0    S+   17:42   0:00 grep --color=auto syslog

We need a separate logrotate file for ubuntu

#7

Updated by Nicolas CHARLES over 6 years ago

  • Target version set to 2.6.11
#8

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from 8 to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/306
#9

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset policy-templates:commit:f0b04c1e5d0b5bc2df26d59d1c14576c42dcfc4b.

#10

Updated by Jonathan CLARKE over 6 years ago

Applied in changeset policy-templates:commit:85e97e8ac81f3c7036869db1504ed5cf686bc27a.

#11

Updated by Jonathan CLARKE over 6 years ago

This is now fixed (in the next minor releases to come). However, I noticed that the logrotate configs from initial-promises was somewhat out of sync with that of the techniques. This needs syncing, so I created #4551.

#12

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.6.11, which was released today.
Check out:

Also available in: Atom PDF