Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure permissions in parent directory #589

Open
dcere opened this issue Mar 13, 2024 · 4 comments
Open

Insecure permissions in parent directory #589

dcere opened this issue Mar 13, 2024 · 4 comments

Comments

@dcere
Copy link

dcere commented Mar 13, 2024
edited

Hello

I have recently installed logrotate (3.19.0) in Ubuntu 22.04 and I can't make it rotate postfix logs.
My configuration is like so:

/var/log/mail.log {
    daily
    rotate 5
    compress
    delaycompress
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        systemctl reload postfix.service
    endscript
}

If I run this file with sudo logrotate --force /etc/logrotate.d/postfix it skips the rotation with the following error:

error: skipping "/var/log/mail.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

so I change the configuration to

/var/log/mail.log {
    su syslog adm
    daily
    rotate 5
    compress
    delaycompress
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        systemctl reload postfix.service
    endscript
}

and then it fails with the following error:

error: error creating output file /var/log/mail.log.1.gz: Permission denied

Changing the create 0640 syslog adm directive for copytruncate does not change anything.

The su directive in /etc/logrotate.conf is su root adm.

This configuration is working with logrotate (3.14.0) in Ubuntu 20.04:

/var/log/mail.log {
    daily
    rotate 5
    compress
    delaycompress
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        service postfix reload
    endscript
}

In both servers (Ubuntu 20 and Ubuntu 22) the permissions for /var/log are 775 and owners are root:syslog. I don't think I have ever changed these from default values.

What am I missing? Has there anything changed from version 3.14 to 3.19 that may lead to this?

Thank you very much!
@cgzones
Copy link
Member

cgzones commented Mar 15, 2024

What is the mode of /var?
Either /var or /var/mail should be group- or world-writable.

@dcere
Copy link
Author

dcere commented Mar 18, 2024
edited

The permissions are:

  • /var: 755 root:root
  • /var/log: 775 root:syslog (was wrong in my previous comment)
  • /var/mail: There are no logs here, so I don't see how it could affect logrotate.

Maybe I'm reading it wrong. Should the su directive match the user and group for the log file or the log directory?
Should my su directive be syslog adm to match mail.log? Or should it be root syslog to match /var/log?

@cgzones
Copy link
Member

cgzones commented Mar 20, 2024

The check suggests to use the identity of the parent directory, so root:syslog. Since this identity is still privileged it should be allowed to create files (mail.log) as syslog:adm.

@dcere
Copy link
Author

dcere commented Mar 22, 2024

Finally I'm using

/var/log/mail.log {
    su root syslog
    daily
    rotate 5
    compress
    delaycompress
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        systemctl restart rsyslog.service
        systemctl reload  postfix.service
    endscript
}

It looks like I needed to fix the su directive and also restart rsyslog.

Thank you so much for your help!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dcere @cgzones