Search This Blog

Thursday, December 1, 2011

HowTo: Fix logrotate complains about insecure permissions

Bug 753983 – logrotate complains about insecure permissions

When you have this problem, you get Anacron emails like this:

/etc/cron.daily/0yum.cron:

Setting up Update Process
Setting up Yum Shell
Setting up Update Process
/etc/cron.daily/logrotate:

error: skipping "/var/log/tomcat6/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. 

Fedora 16 in particular has a newer version of logrotate, and standard package installs like mailman, tomcat6, etc. are making errors.

The complaint is about group writeable permissions in /var/log/ directories.

Traditionally, these files are owned by root, and writeable by the service accounts group name. So tomcat6 would be:
drwxrwxr-x. 2 root tomcat 20480 Nov 14 13:04 tomcat6//


Seems OK to me, only root can remove and Tomcat can write log entries without being root.

Other HowTo's focus on removing group write permissions in the /var/log directory. 


I disagree, the bug report convinced me that changes are on the way in the logrotate.d files.

Named seems the first to have it right, so I'll use that as a template. 0640 if you don't want world read on log files. Add these lines to packages that are having Anacron problems. (Replace named with  your package's service account)

/etc/logrotate.d/named:

su named named
create 0644 named named


No comments:

Post a Comment