Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions check #580

Open
Z9n2JktHlZDmlhSvqc9X2MmL3BwQG7tk opened this issue Jan 24, 2024 · 0 comments
Open

Permissions check #580

Z9n2JktHlZDmlhSvqc9X2MmL3BwQG7tk opened this issue Jan 24, 2024 · 0 comments

Comments

@Z9n2JktHlZDmlhSvqc9X2MmL3BwQG7tk
Copy link

logrotate must not check any permissions, it is a tool just for rotating log files, so it must do the rotation only, dirs/files permissions are not the area of expertise of logrotate. I, as the system administrator, knows better what permissions my dirs/files should have.

Real life example:
we have a website that writes its logs to some subdirectory, so this subdirectory must be writeable by web-server user. This site is served by Jenkins, so it must be writeable by jenkins user (to perform deployments, especially the first deployment when site dir is empty). Additionally, this site is maintained by a team of developers, so it must be writeable by developer group.
To ensure this I set up POSIX ACLs:

[root@server ~]# ls -ld /var/www/site.com/storage/logs
drwxrwxr-x+ 2 jenkins users 4096 Jan 24 13:32 /var/www/site.com/storage/logs

[root@server ~]# getfacl /var/www/site.com/storage/logs
# file: var/www/site.com/storage/logs
# owner: jenkins
# group: users
user::rwx
user:www-data:rwx
user:jenkins:rwx
group::r-x
group:developer:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:jenkins:rwx
default:group::r-x
default:group:developer:rwx
default:mask::rwx
default:other::r-x

And now when I try to use logrotate I get an error:

error: skipping "/var/www/site.com/storage/logs/site.log" because parent directory has insecure permissions
(It's world writable or writable by group which is not "root")
Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

I can not set su directive to something static because logs dir can be created by:

  • jenkins user;
  • one of developers (they can recreate whole directory).

Eventually

I don't understand why logrotate tells me something about permissions when it is running as root ?
Why does logrotate think it knows better what permissions my dirs/files should have ?
What is the problem with just rotating the files and not checking anything else ???
Why do I need to reinvent a similar tool for rotation in such case if a standard tool logrotate already exists ?

I think either permissions check should be removed from logrotate code, or some option (nopermissionscheck) should be added to disable such checks. This is a real pain with logrotate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Z9n2JktHlZDmlhSvqc9X2MmL3BwQG7tk