Log rotate errors after upgrading to 5.6.1

[hbouma]

I have Red Hat 7 64bit VM's that were recently upgraded from Nagios 5.5.9 to 5.6.1. Since the upgrade, I am seeing errors every morning for log rotate:

Code: Select all

/etc/cron.daily/logrotate:

error: skipping "/usr/local/nagiosxi/var/cleaner.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/cmdsubsys.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/dbmaint.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/deadpool.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/event_handler.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/eventman.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/feedproc.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/nom.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/perfdataproc.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/recurringdowntime.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/reportengine.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/sysstat.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/wkhtmltox.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/xidebug.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/xidebug.log.backtrace" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

File ownerships seem different that I see on the servers running 5.5.9 (5.5.9 shows nagios:nagios, 5.6.1 as listed below)

Code: Select all

drwxr-xr-x  11 root nagios 4.0K Mar 25 10:32 .
drwxr-xr-x. 21 root root   4.0K May  2 08:18 ..
drwxr-xr-x.  2 root nagios 4.0K Mar 25 10:32 cron
drwxr-xr-x.  4 root nagios 4.0K May  2 08:18 etc
drwxr-xr-x. 17 root nagios 4.0K May  2 08:20 html
drwx------   2 root nagios  16K Mar 18 13:54 lost+found
drwxr-xr-x.  3 root nagios 4.0K Mar 25 10:32 nom
drwxr-xr-x.  4 root nagios 4.0K May  6 08:38 scripts
drwsrwsr-x.  2 root nagios 4.0K May  2 08:19 tmp
drwxr-xr-x.  2 root nagios 4.0K Mar 25 10:32 tools
drwxrwxr-x.  7 root nagios 4.0K May  6 08:43 var

If I try updating /usr/local/nagiosxi/var to root:root, then I get errors from crond telling me the writing to the log files is denied:

Code: Select all

/bin/sh: /usr/local/nagiosxi/var/feedproc.log: Permission denied

Any suggestions?

[cdienger]

What do the permissions look like on the log files and files in the other directories? Are you seeing any other problems besides this error message?

Reset some of the permissions with:

Code: Select all

/usr/local/nagiosxi/scripts/reset_config_perms.sh
chown nagios:nagios /usr/local/nagiosxi/*
chown nagios:nagios /usr/local/nagiosxi/

[hbouma]

Files inside /usr/local/nagiosxi/var/ are all owned by nagios:nagios. Folders in /usr/local/nagiosxi are all root:nagios.

This has happened on all 3 servers we where we have upgraded from 5.5.9 to 5.6.1.

Symptoms are failure of the logrotate script only.

Everything seems good so far by just changing the permissions as you listed. I just wanted to make sure there wasn't a reason for the change in the upgrade.

[cdienger]

It's certainly odd and I'll be looking into reproducing it. Was this an online of offline install/upgrade?

[hbouma]

This was an online install and online upgrade using the manual upgrade steps as listed in https://assets.nagios.com/downloads/nag ... ctions.pdf

It appears I am not the only one having the issue. I see @Bitflogger is also having the issue in https://support.nagios.com/forum/viewto ... 16&t=53740

[cdienger]

Checked with dev and the change to root ownership was put in place to take care of potential vulnerabilities. Except for the var directory, you can switch them all back to root ownership.

[hbouma]

Thank you. I have updated to have all folders, except var, in /usr/local/nagiosxi/ owned by root:nagios

[cdienger]

Sounds good and thanks for bringing it to our attention! This will be fixed in in 5.6.2.

[hbouma]

Thank you.

You may close this thread then.

[cdienger]

Closing.