recent group permissions change on /var/log cause logrotate errors

Bug #1258202 reported by Jamie Strandboge
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
logrotate (Ubuntu)
High
Steve Langasek

Bug Description

The fix for bug #1256695 is causing logrotate to error out with:

/etc/cron.daily/logrotate:
error: skipping "/var/log/dpkg.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/alternatives.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/pm-suspend.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/pm-powersave.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ppp-connect-errors" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/syslog" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.info" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.warn" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.err" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/daemon.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kern.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/auth.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/user.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/lpr.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/cron.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/debug" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/messages" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/ufw.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/wtmp" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/btmp" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
run-parts: /etc/cron.daily/logrotate exited with return code 1

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: logrotate 3.8.6-1ubuntu1
ProcVersionSignature: Ubuntu 3.12.0-3.8-generic 3.12.0
Uname: Linux 3.12.0-3-generic x86_64
ApportVersion: 2.12.7-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Dec 5 09:56:47 2013
InstallationDate: Installed on 2011-06-28 (890 days ago)
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110425.2)
SourcePackage: logrotate
UpgradeStatus: Upgraded to trusty on 2013-11-04 (31 days ago)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Steve Langasek (vorlon)
Changed in logrotate (Ubuntu):
assignee: nobody → Steve Langasek (vorlon)
status: New → Triaged
importance: Undecided → High
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logrotate - 3.8.6-1ubuntu2

---------------
logrotate (3.8.6-1ubuntu2) trusty; urgency=low

  * debian/logrotate.conf: use group 'syslog' by default when rotating logs,
    otherwise logrotate will refuse to rotate logs in /var/log whose owning
    group is now syslog instead of root. LP: #1258202.
 -- Steve Langasek <email address hidden> Thu, 05 Dec 2013 10:35:47 -0800

Changed in logrotate (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
martin (martin-andersen) wrote :

This is occurring again with logrotate 3.8.7-1ubuntu1 on numerous systems. Either the previous fix was incomplete, or the change was reverted.

Revision history for this message
Uwe Lück (uwe-lueck) wrote :

aha, #1385537

Revision history for this message
Uwe Lück (uwe-lueck) wrote :

… and #1278193, sorry

Revision history for this message
Stefan Sticht (sticht) wrote :

I am seeing this problem with several Ubuntu 16.04.3 LTS server installations.

considering log /var/log/btmp
error: skipping "/var/log/btmp" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

# ll -d /var/log/
drwxrwxr-x 17 root syslog 4096 Aug 13 21:31 /var/log//

Revision history for this message
Stefan Sticht (sticht) wrote :

Is adding

su root syslog

to /etc/logrotate.conf a good solution?

Revision history for this message
Stefan Sticht (sticht) wrote :

Sorry, it is all my own fault. I accidentally removed
 su root syslog
from /etc/logrotate.conf using puppet.

Feel free to delete my stupid posts.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers