skipping "/var/log/syslog" because parent directory has insecure permissions
jason-kane opened this issue · comments
error: skipping "/var/log/syslog" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Some/recent logrotate versions (3.8.7+, ubuntu 16.04) fail to rotate logs without an "su" directive added to the logrotate config telling it which user/group to run as.
Old versions of logrotate (ubuntu 12.04?) fail when they see an unknown/unexpected "su" directive in the config file.
The naive solution is to run logrotate --version
and for recent versions add a su username groupname
where username and groupname reflect the owner of the directory containing the file being rotated.
My ruby/chef foo isn't really up to it, deliriously hoping someone else has already run into this and has a lovely fix they haven't thought to send upstream.
Adding a "su 'user group'" to the logrotate_app calls fixes the 16.04 based services; I hoped for something compatible with old/new but this is way better than nothing. Note to future google searchers:
logrotate_app myapplicaton do
cookbook 'logrotate'
path ["/var/log/subdir/mylog.log"]
frequency 'daily'
rotate 52
create '0664 appuser appgroup'
options %w(missingok compress delaycompress notifempty)
postrotate ['service rsyslog restart >/dev/null 2>&1 || true']
su 'appuser appgroup'
end
how do you do this from webmin
Adding a "su 'user group'" to the logrotate_app calls fixes the 16.04 based services; I hoped for something compatible with old/new but this is way better than nothing. Note to future google searchers:
logrotate_app myapplicaton do cookbook 'logrotate' path ["/var/log/subdir/mylog.log"] frequency 'daily' rotate 52 create '0664 appuser appgroup' options %w(missingok compress delaycompress notifempty) postrotate ['service rsyslog restart >/dev/null 2>&1 || true'] su 'appuser appgroup' end
For later versions of Debian based OS'es, use "su appuser appgroup" without any quotes. The ' ' breaks the logrotate script. In my case, Debian Stretch requires this format.