su directive logrotate

Wednesday, July 24, 2013 » debian, logrotate

Preamble

If the parent directory for logging is world writable and not owned by root logrotate needs to know what user should be used to rotate.

Log Dir


me@vm#ls -al /var/log/myapp/
total 1728
drwxrwxrwx  2 appuser appuser   4096 Jul 24 13:45 .

My logrotate:


/var/log/myapp/*.log {

    weekly
    rotate 4
    compress

    delaycompress
    missingok
    create 644 appuser appuser
}

Manual logrotate

/usr/sbin/logrotate --verbose /etc/logrotate.conf

Looks Like


rotating pattern: /var/log/myapp/*.log  weekly (4 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/myapp/default.log

error: skipping "/var/log/myapp/default.log" because parent directory has insecure permissions
(It's world writable or writable by group which is not "root") Set "su" directive in 
config file to tell logrotate which user/group should be used for rotation

Telling logrotate to do the 'right thing'


/var/log/myapp/*.log {
    su appuser appuser #<--NEW
    weekly
    rotate 4
    compress

    delaycompress
    missingok
    create 644 appuser appuser
}

Manually running logrotate post fix


rotating pattern: /var/log/myapp/*.log  weekly (4 rotations)
empty log files are rotated, old logs are removed
switching euid to 108 and egid to 108
considering log /var/log/myapp/default.log
  log needs rotating

Other solution

Depending on why you need the above permissions on your log directory. This
may not be the way to go. But if you can less permissive is always better.

chmod 0640 /var/log/myapp/

Reference

logrotate man