Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic su to file/directory owner #419

Open
hkmaly opened this issue Aug 20, 2021 · 6 comments
Open

Automatic su to file/directory owner #419

hkmaly opened this issue Aug 20, 2021 · 6 comments
Labels
wishlist

Comments

@hkmaly
Copy link

hkmaly commented Aug 20, 2021

Would it be possible to specify directive working like su, but instead of using provided user and group it would use user and group of rotated file and/or the directory the file is in?

The idea is, obviously, that single wildcard would match multiple files, each of those possibly having different group (and without the "su" triggering the "because parent directory has insecure permissions" error).
@hkmaly hkmaly changed the title Automatic su to file owner Automatic su to file/directory owner Aug 20, 2021
@mat-m
Copy link

mat-m commented Aug 26, 2021

@hkmaly Why so ?
logrotate works as root and chown rotated file to the same permissions as the original. I don't see a use case which does not fit there.
Can you elaborate on your scenario ?

@hkmaly
Copy link
Author

hkmaly commented Aug 27, 2021
edited

As I already mentioned, @mat-m , logrotate complains when it's supposed to rotate file in directory with "insecure" permission (group/world writeable by someone else than root). And for good reason, it would be possible to abuse that for attack. The recommended workaround (directly in the error message) is to use "su" directive in config file to tell logrotate which user should be used for rotation ... but that's not possible in situation when the same config file covers multiple directories, each writeable by different group, using single wildcard expression (like /home/*/something.log or /var/log/*/*.log).

@mat-m
Copy link

mat-m commented Aug 27, 2021

It does not on my side. I apply logrotate on oracle logs, which folder has oracle:oracle perms.
From my experience, logrotate only complains when the configuration file is not owned by root.
Can we have a sample of the error message ?

@hkmaly
Copy link
Author

hkmaly commented Aug 27, 2021

And is it writeable by the oracle group?

The relevant part of code is right here:

logrotate/logrotate.c

Lines 1364 to 1373 in eb7ec2b

/* Don't rotate in directories writable by others or group which is not "root" */
if ((sb.st_gid != 0 && (sb.st_mode & S_IWGRP)) || (sb.st_mode & S_IWOTH)) {
message(MESS_ERROR, "skipping \"%s\" because parent directory has insecure permissions"
" (It's world writable or writable by group which is not \"root\")"
" Set \"su\" directive in config file to tell logrotate which user/group"
" should be used for rotation.\n"
,log->files[logNum]);
free(logpath);
return 1;
}

Do you really need the sample of the error message?

@kdudka
Copy link
Member

kdudka commented Aug 30, 2021

The proposal makes sense to me.

@mat-m
Copy link

mat-m commented Sep 9, 2021

OK, my bad, I thought my folders were group-writable, but they're not.

@kdudka kdudka added the wishlist label Dec 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wishlist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kdudka @mat-m @hkmaly