Re: logrotate permissions problem

Reco Sat, 29 Aug 2015 11:18:06 -0700

 Hi.

On Sat, 29 Aug 2015 09:43:27 -0600
"D. R. Evans" <doc.ev...@gmail.com> wrote:


> Ever since the upgrade from wheezy to jessie a few days ago, I have been
> receiving the following every day:
> 
> ----
> 
> /etc/cron.daily/logrotate:
> error: error setting owner of /var/log/polipo/polipo.log.1.gz to uid 13 and
> gid 13: Operation not permitted
> run-parts: /etc/cron.daily/logrotate exited with return code 1
> 
> ----
> 
> The directory /var/log/polipo has the permissions:
>   drwxr-sr-x  2 proxy             adm         4096 Aug 29 07:39 polipo
> 
> and right now the contents of that directory look like this:
> 
> ----
> 
> root@homebrew:/var/log/polipo# ls -al
> total 64
> drwxr-sr-x  2 proxy adm    4096 Aug 29 07:39 .
> drwxr-xr-x 19 root  root   4096 Aug 29 07:39 ..
> -rw-------  1 proxy adm   18854 Aug 29 09:11 polipo.log
> -rw-r-----  1 proxy proxy  6025 Aug 26 07:40 polipo.log.1
> -rw-------  1 proxy adm       0 Aug 29 07:39 polipo.log.1.gz
> -rw-r-----  1 proxy proxy   255 Aug 25 07:11 polipo.log.2.gz
> -rw-r-----  1 proxy proxy   425 Aug 24 07:11 polipo.log.3.gz
> -rw-r-----  1 proxy proxy   279 Aug 23 07:11 polipo.log.4.gz
> -rw-r-----  1 proxy proxy   328 Aug 22 07:11 polipo.log.5.gz
> -rw-r-----  1 proxy proxy   273 Aug 21 07:11 polipo.log.6.gz
> -rw-r-----  1 proxy proxy   288 Aug 20 07:11 polipo.log.7.gz
> -rw-r-----  1 proxy proxy   166 Aug 19 07:11 polipo.log.8.gz
> root@homebrew:/var/log/polipo#
> 
> ----
> 
> Does anyone have a suggestion as to what I should do to stop the error message
> being produced every day?
> 
> In case it needs to be said: this problem did not exist when I was running
> wheezy, and I haven't changed anything in the default installation related to
> logrotate or polipo. I am a bit puzzled as to why no one else seems to have
> reported this problem. Googling has not helped suggest the cause or the
> correct fix.

Your /etc/logrotate.d/polipo should contain this line:

su proxy adm

It means that all polipo.log rotation should be done as user "proxy"
with primary group "adm".

During the rotation "polipo.log" should be renamed to "polipo.log.1"
and then it should be gzipped to "polipo.log.1.gz". The owner and group
of the new file result "proxy:adm".

Since the original file ("polipo.log") owner and group are
"proxy:proxy" - logrotate tries to change group of "polipo.log.1.gz" to
proxy - and fails (since during the rotation the primary group of
logrotate is "adm", and arbitrary group switching is permitted to root
only).

The solution of this problem should be as simple as:

chgrp adm /var/log/polipo/pol*
rm -f /var/log/polipo/polipo.log.1.gz

Reco

Re: logrotate permissions problem

Reply via email to