Page 1 of 2
logrotate permissions 5.6.2
Posted: Tue May 28, 2019 9:54 am
by Bitflogger
Hello,
I am running 5.6.2 on a 64-bit CentOS 7 VM.
I upgraded my backup and test servers to 5.6.2. I went from 5.5.11 -> 5.6.0 -> 5.6.1 -> 5.6.2
I am seeing this:
Subject: Anacron job 'cron.daily' on <redacted>
Date: Sun, 26 May 2019 03:09:03 -0500 (CDT)
Status: RO
/etc/cron.daily/logrotate:
error: skipping "/usr/local/nagiosxi/var/cleaner.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Here are the permissions:
[root@redacted ~]# ls -ald /usr/local/nagiosxi/var/cleaner.log
-rw-r--r-- 1 nagios nagios 17228467 May 28 09:52 /usr/local/nagiosxi/var/cleaner.log
[root@redacted ~]# ls -ald /usr/local/nagiosxi/var
drwxrwxr-x 7 nagios nagios 4096 May 28 09:52 /usr/local/nagiosxi/var
[root@redacted ~]# ls -ald /usr/local/nagiosxi
drwxr-xr-x 10 root root 102 Feb 11 12:22 /usr/local/nagiosxi
Earl
Re: logrotate permissions 5.6.2
Posted: Tue May 28, 2019 12:31 pm
by npolovenko
Hello,
@Bitflogger. Please run the following commands:
Code: Select all
chown nagios:nagios /usr/local/nagiosxi
service crond restart
And let me know if your issue gets resolved.
Re: logrotate permissions 5.6.2
Posted: Tue May 28, 2019 12:51 pm
by Bitflogger
I will check tomorrow morning.
I do run the sudo command to install.
Earl
Re: logrotate permissions 5.6.2
Posted: Tue May 28, 2019 12:55 pm
by npolovenko
@Bitflogger, Sounds good, I'll leave this thread open for you.
Re: logrotate permissions 5.6.2
Posted: Wed May 29, 2019 8:51 am
by Bitflogger
Hello,
It almost seems like the ownership of /usr/local/nagiosxi may have reverted to root.
Anyway, I set the ownership correctly and tried running logrotate:
[user@redacted ~]$ ls -ald /usr/local/nagiosxi
drwxr-xr-x 10 nagios nagios 102 Feb 11 12:22 /usr/local/nagiosxi
[user@redacted ~]$ ls -ald /usr/local/nagiosxi/*
drwxr-xr-x 2 nagios nagios 296 May 24 09:17 /usr/local/nagiosxi/cron
drwxr-xr-x 4 nagios nagios 67 May 3 14:44 /usr/local/nagiosxi/etc
drwxr-xr-x 17 nagios nagios 4096 Mar 6 13:03 /usr/local/nagiosxi/html
drwxr-xr-x 3 nagios nagios 25 Feb 11 12:22 /usr/local/nagiosxi/nom
drwxr-xr-x 4 nagios nagios 4096 May 24 09:17 /usr/local/nagiosxi/scripts
drwsrwsr-x 2 nagios nagios 6 Apr 22 16:27 /usr/local/nagiosxi/tmp
drwxr-xr-x 2 nagios nagios 4096 Feb 11 12:22 /usr/local/nagiosxi/tools
drwxrwxr-x 7 nagios nagios 4096 May 29 08:46 /usr/local/nagiosxi/var
[user@redacted ~]$ sudo /etc/cron.daily/logrotate
error: skipping "/usr/local/nagiosxi/var/cleaner.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/cmdsubsys.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
.
.
.
Re: logrotate permissions 5.6.2
Posted: Wed May 29, 2019 9:28 am
by Bitflogger
Hello,
It looks like my /usr/local/nagiosxi directory reverted back to root:root
This fixes logrotate so far:
cat /etc/logrotate.d/nagiosxi
/usr/local/nagiosxi/var/*log {
su nagios nagios
missingok
notifempty
size 5M
rotate 1
compress
}
/usr/local/nagiosxi/var/xidebug.log {
su nagios nagios
missingok
notifempty
size 100M
create 0660 apache nagios
rotate 1
compress
}
/usr/local/nagiosxi/var/xidebug.log.backtrace {
su nagios nagios
missingok
notifempty
size 100M
create 0660 apache nagios
rotate 1
compress
}
Re: logrotate permissions 5.6.2
Posted: Wed May 29, 2019 10:39 am
by Bitflogger
Hello,
It turns out that Puppet was changing the directory permissions.
I have root:root for /usr/local/nagiosxi on my production server, v 5.5.11 and no logrotate problem.
Should the owner/group be nagios:nagios for /usr/local/nagiosxi instead or root:root ?
Earl
Re: logrotate permissions 5.6.2
Posted: Wed May 29, 2019 3:28 pm
by npolovenko
@Bitflogger, Yes, please set /usr/local/nagiosxi to root:nagios or nagios:nagios on the production server.
root:nagios should be more secure.
/usr/local/nagiosxi/var should be set to nagios:nagios.
Re: logrotate permissions 5.6.2
Posted: Thu May 30, 2019 7:50 am
by Bitflogger
Hello,
I have my /usr/local/nagiosxi directory set to root:nagios
When I take the "su nagios nagios" line out of /etc/logrotate.d/nagiosxi file, I get
[user@server ~]$ date
Thu May 30 07:49:04 CDT 2019
[user@server ~]$ sudo /etc/cron.daily/logrotate -v
error: skipping "/usr/local/nagiosxi/var/cleaner.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/usr/local/nagiosxi/var/cmdsubsys.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
.
.
.
[user@server ~]$ ls -ald /usr/local/nagiosxi
drwxr-xr-x 10 root nagios 102 Oct 22 2018 /usr/local/nagiosxi
Re: logrotate permissions 5.6.2
Posted: Thu May 30, 2019 7:52 am
by Bitflogger
Hello,
On my servers, /usr/local/nagiosxi is a mount point.
Earl