| Summary: | app-admin/sysklogd: /etc/cron.daily/syslog.cron changes the mode and owner of ALL logfiles | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | toon <toon> |
| Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jakub, matsuu |
| Priority: | High | ||
| Version: | 1.4 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I am assuming then it does not use the libc syslog facility, but tries to work with the file directly? I don't understand your question. The shell script uses the program /usr/sbin/syslogd-listfiles -- which is part of the sysklogd package -- to find out which log files to rotate. But the call to the program uses an argument (-a) that it shouldn't use in this case. The problem has nothing to do with syslog facilities, as far as I can see. While we're at it: I noticed another problem
related to the /etc/cron.daily/syslog.cron script.
Above the fragment that this bug report was entered for,
it also contains the code below:
cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
if [ -f $LOG ]; then
/usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
fi
done
This is wrong, because it will also rotate the INN news log files.
I had to adapt the fragment as below.
But look at the syslogd-listfiles manpage. It is not completely
clear to me how it should handle the INN log files in this case.
All I know is that my solution works.
Should I enter a separate bug report for this?
cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
if [ -f $LOG ]; then
# Skip the INN log files (every file that contains the string 'news'):
if [ "${LOG}" = "${LOG/news/}" ] ; then
/usr/sbin/savelog -p -c 7 $LOG >/dev/null
else
# For debugging purposes:
echo "Skipping ${LOG}..." >/dev/null
fi
fi
done
I am asking how you news daemon does its logging ... if it uses the glibc syslog facility, the permissions should not be a problem. removed -a from both listfile calls going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default that should fix both your bugs This is still an issue. Or rather, the proposed fix is a issue. I will ask again: how do you news server handle its log files? From what you said in comment #1, it seems like it handles them itself, meaning it do not use the libc syslog functionality (letting syslogd [or whatever logging daemon] actually do the logging). But if this is the case, then the log files of your news server should not be in /etc/syslog.conf (which is how /usr/sbin/syslogd-listfiles finds them). Meaning to fix the issue, you should have commented the entries in syslog.conf: ---- # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice ---- Alternatively you can enable logging via syslog if your news server supports it ... Another note - I cannot get news log files to display if I do not add --news: ---- nosferatu ~ # /usr/sbin/syslogd-listfiles -a | grep news nosferatu ~ # /usr/sbin/syslogd-listfiles --news | grep news nosferatu ~ # /usr/sbin/syslogd-listfiles -a --news | grep news /var/log/news/news.crit /var/log/news/news.notice /var/log/news/news.err nosferatu ~ # ---- OK, I admit that I didn't explain it very well.
I'll try again.
1. Yes, the application (INN) logs via the libc syslog functions.
This results in the files news.notice, news.crit and news.err in /var/log/news.
See the entries in my /etc/syslog.conf file (they are a little different
from the original Gentoo entries, but the resulting files are the same):
# Log files for the INN news system:
#
news.*;news.!=err;news.!=crit;news.!=debug -/var/log/news/news.notice
news.=crit -/var/log/news/news.crit
news.=err -/var/log/news/news.err
#news.debug -/var/log/news/news.debug
To make it even more complex, INN itself also creates some log files
in the same directory, without using the libc syslog functions.
So we end up with this set of files in the /var/log/news directory:
drwxrwxr-x 2 news news 4096 Nov 9 03:07 OLD
-rw-r--r-- 1 news news 0 Nov 9 03:05 errlog
-rw-rw-r-- 1 news news 1182678 Nov 9 04:34 expire.lastlowmark
-rw-rw-r-- 1 news news 3629414 Nov 9 04:34 expire.list
-rw-rw-r-- 1 news news 721 Nov 9 06:07 expire.log
-rw-rw-r-- 1 news news 1682 Nov 10 00:31 inn_status.html
-rw-rw-r-- 1 news news 0 Jan 25 2004 innfeed.log
-rw-rw-r-- 1 news news 3068 Nov 9 23:46 innfeed.status
-rw-r--r-- 1 news news 16771421 Nov 10 00:31 news
-rw-rw-r-- 1 news news 0 Nov 9 03:05 news.crit
-rw-rw-r-- 1 news news 435750 Feb 8 2004 news.debug
-rw-rw-r-- 1 news news 0 Nov 9 03:05 news.err
-rw-rw-r-- 1 news news 280656 Nov 10 00:28 news.notice
-rw-rw---- 1 news news 62872 Nov 9 03:07 unwanted.log
2. The INN application comes an end-of-day processing job, called news.daily,
which -- among other things -- contains log rotation functionality.
This is what the news.daily manpage days about it:
News.daily performs a number of important Usenet administrative func-
tions. This includes producing a status report, removing old news
articles, processing log files, rotating the archived log files, renum-
bering the active file, removing any old socket files found in the
<pathrun in inn.conf> directory, and collecting the output. This pro-
gram should be run under the news administrator's id, not as root.
The last sentence is important. It implies that the userid 'news' needs
full access to the files in the log directory /var/log/news!
If the /etc/cron.daily/syslog.cron job changes the mode and owner of the
log files, then the log rotation functionality of news.daily will fail.
Please note that the log rotation function of news.daily handles a mix
of syslog-managed and non-syslog-managed log files.
3. Regarding your last question about the output of syslogd-listfiles:
This is strange. Your results are different from mine:
# /usr/sbin/syslogd-listfiles -a | grep news
/var/log/news/news.notice
/var/log/news/news.crit
/var/log/news/news.err
# /usr/sbin/syslogd-listfiles --news | grep news
# /usr/sbin/syslogd-listfiles -a --news | grep news
/var/log/news/news.notice
/var/log/news/news.crit
/var/log/news/news.err
Thanks for your patience.
Regards,
Toon.
By the way, below is my current /etc/cron.daily/syslog.cron job.
Actually I don't understand why the current Gentoo script wants to
chmod and chown all log files. In my script below I reduced it to
only include the authorization log files (note that I removed the
'-a' commandline option there).
#! /bin/sh
# sysklogd Cron script to rotate system log files daily.
#
# If you want to rotate other logfiles daily, edit
# this script. An easy way is to add them manually
# or to add -a to syslogd-listfiles and add some grep
# stuff
#
# Written by Martin Schulze <joey@debian.org>.
# $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $
cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
if [ -f $LOG ]; then
# Skip the INN log files (all log files that contain the string "news"):
if [ "${LOG}" = "${LOG/news/}" ] ; then
/usr/sbin/savelog -p -c 7 $LOG >/dev/null
else
echo "${LOG} skipped..." >/dev/null
fi
fi
done
for LOG in `/usr/sbin/syslogd-listfiles --auth`
do
if [ -f $LOG ]; then
/bin/chown root:adm $LOG
/bin/chmod o-rwx $LOG
fi
done
# Restart syslogd
#
/bin/killall -HUP syslogd
Hi, I did an 'emerge -uD sysklogd' last night. Here is the diff between my adapted /etc/cron.daily/syslog.cron and the emerged /etc/cron.daily/syslog.cron files: Showing differences between /etc/cron.daily/syslog.cron and /etc/cron.daily/._cfg0000_syslog.cron --- /etc/cron.daily/syslog.cron 2004-06-28 14:52:26.000000000 +0200 +++ /etc/cron.daily/._cfg0000_syslog.cron 2004-11-09 21:57:18.000000000 +0100 @@ -8,18 +8,13 @@ # stuff # # Written by Martin Schulze <joey@debian.org>. -# $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $ +# $Id: syslog-cron,v 1.5 2004/10/03 08:43:14 vapier Exp $ cd /var/log -for LOG in `/usr/sbin/syslogd-listfiles -a` +for LOG in `/usr/sbin/syslogd-listfiles` do if [ -f $LOG ]; then - # Skip the INN log files (all log files that contain the string "news"): - if [ "${LOG}" = "${LOG/news/}" ] ; then - /usr/sbin/savelog -p -c 7 $LOG >/dev/null - else - echo "${LOG} skipped..." >/dev/null - fi + /usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null fi done Well, then there is a problem somewhere else .. this is from syslogd-listfiles:
----
# handled by news.daily from INN
next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/));
----
Meaning that because you changed the rules to have 'news.=err', etc, it fails
the regex, and list the files.
This should fix it:
-----
--- syslogd-listfiles.orig 2004-11-10 21:17:52.048267040 +0200
+++ syslogd-listfiles 2004-11-10 21:17:40.279056232 +0200
@@ -84,7 +84,7 @@
($pat,$file) = split (/\t/,$line);
# handled by news.daily from INN
- next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/));
+ next if (!$opt_news && ($pat =~ /news\.[=!]*(crit|err|notice)/));
if ($opt_all) {
$output{$file} = 1;
-----
Can you please apply that, and run these again:
# /usr/sbin/syslogd-listfiles -a | grep news
# /usr/sbin/syslogd-listfiles --news | grep news
# /usr/sbin/syslogd-listfiles -a --news | grep news
If that looks good, can you try with original syslog.cron ?
Actually, just: # /usr/sbin/syslogd-listfiles -a | grep news # /usr/sbin/syslogd-listfiles -a --news | grep news should be fine, as without -a (even with --news or --auth), it only lists the '*.*' syslogd rules ... toon@news toon $ patch syslogd-listfiles patch patching file syslogd-listfiles Hunk #1 succeeded at 84 with fuzz 1. toon@news toon $ ./syslogd-listfiles -a | grep news toon@news toon $ ./syslogd-listfiles --news | grep news toon@news toon $ ./syslogd-listfiles -a --news | grep news /var/log/news/news.notice /var/log/news/news.crit /var/log/news/news.err I'll look at the original syslog.cron later, when I have time. Thanks so far. What's the status here? (In reply to comment #5) > removed -a from both listfile calls > > going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default > > that should fix both your bugs Hmm, pretty old, bug it explains, why my /var/log is getting bigger. Removing the -a from the first line means that now only /var/log/syslog is rotated, but none of the other files. This is because in default syslog.conf only /var/log/syslog contains "*.*" as facility.priority, see also "man syslogd-listfiles". The -a should be added back to the first occurence of syslogd-listfiles. Regards, Christian. fixed in sysklogd-1.5 |
Maybe I'm a bit old-fashioned, but I use the app-admin/sysklogd package for a syslog daemon. With this package comes a cron job, named: /etc/cron.daily/syslog.cron This script should rotate the logfiles. But it does more than that. It also tries to secure logfiles that could contain sensitive data. For this, it uses the following code snippet: for LOG in `/usr/sbin/syslogd-listfiles --auth -a` do if [ -f $LOG ]; then /bin/chown root.adm $LOG /bin/chmod o-rwx $LOG fi done The bug is in the '-a' option that is passed to the syslogd-listfiles command. This causes syslogd-listfiles to return ALL logfile names, which in turn causes ALL logfiles to be tightly secured and given to root.adm! This had catastrofic consequences for the logging of my INN newsserver. The news user didn't have access to it's own logfiles anymore! Reproducible: Always Steps to Reproduce: 1. 2. 3. The solution is simple: remove the '-a' option from the syslogd-listfiles command in the /etc/cron.daily/syslog.cron script. Regards, Toon.