Search This Blog

Thursday, December 1, 2011

HowTo: Fix logrotate complains about insecure permissions

Bug 753983 – logrotate complains about insecure permissions

When you have this problem, you get Anacron emails like this:


Setting up Update Process
Setting up Yum Shell
Setting up Update Process

error: skipping "/var/log/tomcat6/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. 

Fedora 16 in particular has a newer version of logrotate, and standard package installs like mailman, tomcat6, etc. are making errors.

The complaint is about group writeable permissions in /var/log/ directories.

Traditionally, these files are owned by root, and writeable by the service accounts group name. So tomcat6 would be:
drwxrwxr-x. 2 root tomcat 20480 Nov 14 13:04 tomcat6//

Seems OK to me, only root can remove and Tomcat can write log entries without being root.

Other HowTo's focus on removing group write permissions in the /var/log directory. 

I disagree, the bug report convinced me that changes are on the way in the logrotate.d files.

Named seems the first to have it right, so I'll use that as a template. 0640 if you don't want world read on log files. Add these lines to packages that are having Anacron problems. (Replace named with  your package's service account)


su named named
create 0644 named named

No comments:

Post a Comment