Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 40304 - app-admin/sysklogd: /etc/cron.daily/syslog.cron changes the mode and owner of ALL logfiles
Summary: app-admin/sysklogd: /etc/cron.daily/syslog.cron changes the mode and owner of...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-02-03 11:26 UTC by toon
Modified: 2008-06-07 16:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description toon 2004-02-03 11:26:40 UTC
Maybe I'm a bit old-fashioned, but I use the app-admin/sysklogd package
for a syslog daemon. With this package comes a cron job, named:

/etc/cron.daily/syslog.cron

This script should rotate the logfiles. But it does more than that.
It also tries to secure logfiles that could contain sensitive data.
For this, it uses the following code snippet:

for LOG in `/usr/sbin/syslogd-listfiles --auth -a`
do
   if [ -f $LOG ]; then
      /bin/chown root.adm $LOG
      /bin/chmod o-rwx $LOG
   fi
done

The bug is in the '-a' option that is passed to the syslogd-listfiles command.
This causes syslogd-listfiles to return ALL logfile names, which in turn
causes ALL logfiles to be tightly secured and given to root.adm!
This had catastrofic consequences for the logging of my INN newsserver.
The news user didn't have access to it's own logfiles anymore!

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




The solution is simple: remove the '-a' option from the syslogd-listfiles
command in the /etc/cron.daily/syslog.cron script.

Regards,
Toon.
Comment 1 Martin Schlemmer (RETIRED) gentoo-dev 2004-02-15 13:45:28 UTC
I am assuming then it does not use the libc syslog facility, but tries to
work with the file directly?
Comment 2 toon 2004-02-15 14:01:13 UTC
I don't understand your question.

The shell script uses the program /usr/sbin/syslogd-listfiles --
which is part of the sysklogd package -- to find out which
log files to rotate.
But the call to the program uses an argument (-a) that it
shouldn't use in this case.

The problem has nothing to do with syslog facilities,
as far as I can see.
Comment 3 toon 2004-02-15 14:18:19 UTC
While we're at it: I noticed another problem
related to the /etc/cron.daily/syslog.cron script.
Above the fragment that this bug report was entered for,
it also contains the code below:

cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
   if [ -f $LOG ]; then
      /usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
   fi
done

This is wrong, because it will also rotate the INN news log files.
I had to adapt the fragment as below.
But look at the syslogd-listfiles manpage. It is not completely
clear to me how it should handle the INN log files in this case.
All I know is that my solution works.
Should I enter a separate bug report for this?

cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
   if [ -f $LOG ]; then
      # Skip the INN log files (every file that contains the string 'news'):
      if [ "${LOG}" = "${LOG/news/}" ] ; then
          /usr/sbin/savelog -p -c 7 $LOG >/dev/null
      else
          # For debugging purposes:
          echo "Skipping ${LOG}..." >/dev/null
      fi
   fi
done
Comment 4 Martin Schlemmer (RETIRED) gentoo-dev 2004-02-19 10:43:30 UTC
I am asking how you news daemon does its logging ... if it uses the glibc
syslog facility, the permissions should not be a problem.
Comment 5 SpanKY gentoo-dev 2004-10-03 01:47:49 UTC
removed -a from both listfile calls

going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default

that should fix both your bugs
Comment 6 Martin Schlemmer (RETIRED) gentoo-dev 2004-11-09 14:38:55 UTC
This is still an issue.  Or rather, the proposed fix is a issue.

I will ask again: how do you news server handle its log files?  From what you
said in comment #1, it seems like it handles them itself, meaning it do not
use the libc syslog functionality (letting syslogd [or whatever logging daemon]
actually do the logging).

But if this is the case, then the log files of your news server should not
be in /etc/syslog.conf (which is how /usr/sbin/syslogd-listfiles finds them).
Meaning to fix the issue, you should have commented the entries in syslog.conf:

----
# Logging for INN news system
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
----

Alternatively you can enable logging via syslog if your news server supports
it ...
Comment 7 Martin Schlemmer (RETIRED) gentoo-dev 2004-11-09 14:48:13 UTC
Another note - I cannot get news log files to display if I do not add --news:

----
nosferatu ~ # /usr/sbin/syslogd-listfiles -a | grep news
nosferatu ~ # /usr/sbin/syslogd-listfiles --news | grep news
nosferatu ~ # /usr/sbin/syslogd-listfiles -a --news | grep news
/var/log/news/news.crit
/var/log/news/news.notice
/var/log/news/news.err
nosferatu ~ #
----
Comment 8 toon 2004-11-09 16:00:50 UTC
OK, I admit that I didn't explain it very well.
I'll try again.

1. Yes, the application (INN) logs via the libc syslog functions.
   This results in the files news.notice, news.crit and news.err in /var/log/news.
   See the entries in my /etc/syslog.conf file (they are a little different
   from the original Gentoo entries, but the resulting files are the same):

       # Log files for the INN news system:
       #
       news.*;news.!=err;news.!=crit;news.!=debug -/var/log/news/news.notice
       news.=crit                                 -/var/log/news/news.crit
       news.=err                                  -/var/log/news/news.err
       #news.debug                                -/var/log/news/news.debug

   To make it even more complex, INN itself also creates some log files 
   in the same directory, without using the libc syslog functions.
   So we end up with this set of files in the /var/log/news directory:

       drwxrwxr-x  2 news news     4096 Nov  9 03:07 OLD
       -rw-r--r--  1 news news        0 Nov  9 03:05 errlog
       -rw-rw-r--  1 news news  1182678 Nov  9 04:34 expire.lastlowmark
       -rw-rw-r--  1 news news  3629414 Nov  9 04:34 expire.list
       -rw-rw-r--  1 news news      721 Nov  9 06:07 expire.log
       -rw-rw-r--  1 news news     1682 Nov 10 00:31 inn_status.html
       -rw-rw-r--  1 news news        0 Jan 25  2004 innfeed.log
       -rw-rw-r--  1 news news     3068 Nov  9 23:46 innfeed.status
       -rw-r--r--  1 news news 16771421 Nov 10 00:31 news
       -rw-rw-r--  1 news news        0 Nov  9 03:05 news.crit
       -rw-rw-r--  1 news news   435750 Feb  8  2004 news.debug
       -rw-rw-r--  1 news news        0 Nov  9 03:05 news.err
       -rw-rw-r--  1 news news   280656 Nov 10 00:28 news.notice
       -rw-rw----  1 news news    62872 Nov  9 03:07 unwanted.log

2. The INN application comes an end-of-day processing job, called news.daily,
   which -- among other things -- contains log rotation functionality.
   This is what the news.daily manpage days about it:

       News.daily  performs  a number of important Usenet administrative func-
       tions.  This includes producing a  status  report,  removing  old  news
       articles, processing log files, rotating the archived log files, renum-
       bering the active file, removing any old  socket  files  found  in  the
       <pathrun  in inn.conf> directory, and collecting the output.  This pro-
       gram should be run under the news administrator's id, not as root.

   The last sentence is important. It implies that the userid 'news' needs
   full access to the files in the log directory /var/log/news!
   If the /etc/cron.daily/syslog.cron job changes the mode and owner of the
   log files, then the log rotation functionality of news.daily will fail.
   Please note that the log rotation function of news.daily handles a mix
   of syslog-managed and non-syslog-managed log files.

3. Regarding your last question about the output of syslogd-listfiles:
   This is strange. Your results are different from mine:

       # /usr/sbin/syslogd-listfiles -a | grep news
       /var/log/news/news.notice
       /var/log/news/news.crit
       /var/log/news/news.err
       # /usr/sbin/syslogd-listfiles --news | grep news
       # /usr/sbin/syslogd-listfiles -a --news | grep news
       /var/log/news/news.notice
       /var/log/news/news.crit
       /var/log/news/news.err

Thanks for your patience.
Regards,
Toon.

By the way, below is my current /etc/cron.daily/syslog.cron job.
Actually I don't understand why the current Gentoo script wants to
chmod and chown all log files. In my script below I reduced it to
only include the authorization log files (note that I removed the
'-a' commandline option there).

#! /bin/sh

# sysklogd      Cron script to rotate system log files daily.
#
#               If you want to rotate other logfiles daily, edit
#               this script.  An easy way is to add them manually
#               or to add -a to syslogd-listfiles and add some grep
#               stuff
#
#               Written by Martin Schulze <joey@debian.org>.
#               $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $

cd /var/log
for LOG in `/usr/sbin/syslogd-listfiles -a`
do
   if [ -f $LOG ]; then
      # Skip the INN log files (all log files that contain the string "news"):
      if [ "${LOG}" = "${LOG/news/}" ] ; then
          /usr/sbin/savelog -p -c 7 $LOG >/dev/null
      else
          echo "${LOG} skipped..." >/dev/null
      fi
   fi
done

for LOG in `/usr/sbin/syslogd-listfiles --auth`
do
   if [ -f $LOG ]; then
      /bin/chown root:adm $LOG
      /bin/chmod o-rwx $LOG
   fi
done

# Restart syslogd
#
/bin/killall -HUP syslogd
Comment 9 toon 2004-11-10 02:47:58 UTC
Hi, I did an 'emerge -uD sysklogd' last night.
Here is the diff between my adapted /etc/cron.daily/syslog.cron
and the emerged /etc/cron.daily/syslog.cron files:

Showing differences between /etc/cron.daily/syslog.cron and /etc/cron.daily/._cfg0000_syslog.cron
--- /etc/cron.daily/syslog.cron 2004-06-28 14:52:26.000000000 +0200
+++ /etc/cron.daily/._cfg0000_syslog.cron       2004-11-09 21:57:18.000000000 +0100
@@ -8,18 +8,13 @@
 #              stuff
 #
 #              Written by Martin Schulze <joey@debian.org>.
-#              $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $
+#              $Id: syslog-cron,v 1.5 2004/10/03 08:43:14 vapier Exp $

 cd /var/log
-for LOG in `/usr/sbin/syslogd-listfiles -a`
+for LOG in `/usr/sbin/syslogd-listfiles`
 do
    if [ -f $LOG ]; then
-      # Skip the INN log files (all log files that contain the string "news"):
-      if [ "${LOG}" = "${LOG/news/}" ] ; then
-          /usr/sbin/savelog -p -c 7 $LOG >/dev/null
-      else
-          echo "${LOG} skipped..." >/dev/null
-      fi
+      /usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
    fi
 done
Comment 10 Martin Schlemmer (RETIRED) gentoo-dev 2004-11-10 11:20:52 UTC
Well, then there is a problem somewhere else .. this is from syslogd-listfiles:

----
    # handled by news.daily from INN
    next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/));
----

Meaning that because you changed the rules to have 'news.=err', etc, it fails
the regex, and list the files.

This should fix it:

-----
--- syslogd-listfiles.orig      2004-11-10 21:17:52.048267040 +0200
+++ syslogd-listfiles   2004-11-10 21:17:40.279056232 +0200
@@ -84,7 +84,7 @@
     ($pat,$file) = split (/\t/,$line);

     # handled by news.daily from INN
-    next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/));
+    next if (!$opt_news && ($pat =~ /news\.[=!]*(crit|err|notice)/));

     if ($opt_all) {
        $output{$file} = 1;
-----

Can you please apply that, and run these again:

  # /usr/sbin/syslogd-listfiles -a | grep news
  # /usr/sbin/syslogd-listfiles --news | grep news
  # /usr/sbin/syslogd-listfiles -a --news | grep news


If that looks good, can you try with original syslog.cron ?
Comment 11 Martin Schlemmer (RETIRED) gentoo-dev 2004-11-10 11:46:33 UTC
Actually, just:

  # /usr/sbin/syslogd-listfiles -a | grep news
  # /usr/sbin/syslogd-listfiles -a --news | grep news

should be fine, as without -a (even with --news or --auth), it only lists
the '*.*' syslogd rules ...
Comment 12 toon 2004-11-11 12:46:31 UTC
toon@news toon $ patch syslogd-listfiles patch
patching file syslogd-listfiles
Hunk #1 succeeded at 84 with fuzz 1.
toon@news toon $ ./syslogd-listfiles -a | grep news
toon@news toon $ ./syslogd-listfiles --news | grep news
toon@news toon $ ./syslogd-listfiles -a --news | grep news
/var/log/news/news.notice
/var/log/news/news.crit
/var/log/news/news.err

I'll look at the original syslog.cron later, when I have time.
Thanks so far.
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2005-10-10 05:59:01 UTC
What's the status here?
Comment 14 Chr. Schaefer 2007-01-12 11:10:54 UTC
(In reply to comment #5)
> removed -a from both listfile calls
> 
> going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default
> 
> that should fix both your bugs

Hmm, pretty old, bug it explains, why my /var/log is getting bigger. Removing the -a from the first line means that now only /var/log/syslog is rotated, but none of the other files. This is because in default syslog.conf  only /var/log/syslog contains "*.*" as facility.priority, see also "man syslogd-listfiles".

The -a should be added back to the first occurence of syslogd-listfiles.

Regards,
Christian.
Comment 15 SpanKY gentoo-dev 2008-06-07 16:23:59 UTC
fixed in sysklogd-1.5