Maybe I'm a bit old-fashioned, but I use the app-admin/sysklogd package for a syslog daemon. With this package comes a cron job, named: /etc/cron.daily/syslog.cron This script should rotate the logfiles. But it does more than that. It also tries to secure logfiles that could contain sensitive data. For this, it uses the following code snippet: for LOG in `/usr/sbin/syslogd-listfiles --auth -a` do if [ -f $LOG ]; then /bin/chown root.adm $LOG /bin/chmod o-rwx $LOG fi done The bug is in the '-a' option that is passed to the syslogd-listfiles command. This causes syslogd-listfiles to return ALL logfile names, which in turn causes ALL logfiles to be tightly secured and given to root.adm! This had catastrofic consequences for the logging of my INN newsserver. The news user didn't have access to it's own logfiles anymore! Reproducible: Always Steps to Reproduce: 1. 2. 3. The solution is simple: remove the '-a' option from the syslogd-listfiles command in the /etc/cron.daily/syslog.cron script. Regards, Toon.
I am assuming then it does not use the libc syslog facility, but tries to work with the file directly?
I don't understand your question. The shell script uses the program /usr/sbin/syslogd-listfiles -- which is part of the sysklogd package -- to find out which log files to rotate. But the call to the program uses an argument (-a) that it shouldn't use in this case. The problem has nothing to do with syslog facilities, as far as I can see.
While we're at it: I noticed another problem related to the /etc/cron.daily/syslog.cron script. Above the fragment that this bug report was entered for, it also contains the code below: cd /var/log for LOG in `/usr/sbin/syslogd-listfiles -a` do if [ -f $LOG ]; then /usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null fi done This is wrong, because it will also rotate the INN news log files. I had to adapt the fragment as below. But look at the syslogd-listfiles manpage. It is not completely clear to me how it should handle the INN log files in this case. All I know is that my solution works. Should I enter a separate bug report for this? cd /var/log for LOG in `/usr/sbin/syslogd-listfiles -a` do if [ -f $LOG ]; then # Skip the INN log files (every file that contains the string 'news'): if [ "${LOG}" = "${LOG/news/}" ] ; then /usr/sbin/savelog -p -c 7 $LOG >/dev/null else # For debugging purposes: echo "Skipping ${LOG}..." >/dev/null fi fi done
I am asking how you news daemon does its logging ... if it uses the glibc syslog facility, the permissions should not be a problem.
removed -a from both listfile calls going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default that should fix both your bugs
This is still an issue. Or rather, the proposed fix is a issue. I will ask again: how do you news server handle its log files? From what you said in comment #1, it seems like it handles them itself, meaning it do not use the libc syslog functionality (letting syslogd [or whatever logging daemon] actually do the logging). But if this is the case, then the log files of your news server should not be in /etc/syslog.conf (which is how /usr/sbin/syslogd-listfiles finds them). Meaning to fix the issue, you should have commented the entries in syslog.conf: ---- # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice ---- Alternatively you can enable logging via syslog if your news server supports it ...
Another note - I cannot get news log files to display if I do not add --news: ---- nosferatu ~ # /usr/sbin/syslogd-listfiles -a | grep news nosferatu ~ # /usr/sbin/syslogd-listfiles --news | grep news nosferatu ~ # /usr/sbin/syslogd-listfiles -a --news | grep news /var/log/news/news.crit /var/log/news/news.notice /var/log/news/news.err nosferatu ~ # ----
OK, I admit that I didn't explain it very well. I'll try again. 1. Yes, the application (INN) logs via the libc syslog functions. This results in the files news.notice, news.crit and news.err in /var/log/news. See the entries in my /etc/syslog.conf file (they are a little different from the original Gentoo entries, but the resulting files are the same): # Log files for the INN news system: # news.*;news.!=err;news.!=crit;news.!=debug -/var/log/news/news.notice news.=crit -/var/log/news/news.crit news.=err -/var/log/news/news.err #news.debug -/var/log/news/news.debug To make it even more complex, INN itself also creates some log files in the same directory, without using the libc syslog functions. So we end up with this set of files in the /var/log/news directory: drwxrwxr-x 2 news news 4096 Nov 9 03:07 OLD -rw-r--r-- 1 news news 0 Nov 9 03:05 errlog -rw-rw-r-- 1 news news 1182678 Nov 9 04:34 expire.lastlowmark -rw-rw-r-- 1 news news 3629414 Nov 9 04:34 expire.list -rw-rw-r-- 1 news news 721 Nov 9 06:07 expire.log -rw-rw-r-- 1 news news 1682 Nov 10 00:31 inn_status.html -rw-rw-r-- 1 news news 0 Jan 25 2004 innfeed.log -rw-rw-r-- 1 news news 3068 Nov 9 23:46 innfeed.status -rw-r--r-- 1 news news 16771421 Nov 10 00:31 news -rw-rw-r-- 1 news news 0 Nov 9 03:05 news.crit -rw-rw-r-- 1 news news 435750 Feb 8 2004 news.debug -rw-rw-r-- 1 news news 0 Nov 9 03:05 news.err -rw-rw-r-- 1 news news 280656 Nov 10 00:28 news.notice -rw-rw---- 1 news news 62872 Nov 9 03:07 unwanted.log 2. The INN application comes an end-of-day processing job, called news.daily, which -- among other things -- contains log rotation functionality. This is what the news.daily manpage days about it: News.daily performs a number of important Usenet administrative func- tions. This includes producing a status report, removing old news articles, processing log files, rotating the archived log files, renum- bering the active file, removing any old socket files found in the <pathrun in inn.conf> directory, and collecting the output. This pro- gram should be run under the news administrator's id, not as root. The last sentence is important. It implies that the userid 'news' needs full access to the files in the log directory /var/log/news! If the /etc/cron.daily/syslog.cron job changes the mode and owner of the log files, then the log rotation functionality of news.daily will fail. Please note that the log rotation function of news.daily handles a mix of syslog-managed and non-syslog-managed log files. 3. Regarding your last question about the output of syslogd-listfiles: This is strange. Your results are different from mine: # /usr/sbin/syslogd-listfiles -a | grep news /var/log/news/news.notice /var/log/news/news.crit /var/log/news/news.err # /usr/sbin/syslogd-listfiles --news | grep news # /usr/sbin/syslogd-listfiles -a --news | grep news /var/log/news/news.notice /var/log/news/news.crit /var/log/news/news.err Thanks for your patience. Regards, Toon. By the way, below is my current /etc/cron.daily/syslog.cron job. Actually I don't understand why the current Gentoo script wants to chmod and chown all log files. In my script below I reduced it to only include the authorization log files (note that I removed the '-a' commandline option there). #! /bin/sh # sysklogd Cron script to rotate system log files daily. # # If you want to rotate other logfiles daily, edit # this script. An easy way is to add them manually # or to add -a to syslogd-listfiles and add some grep # stuff # # Written by Martin Schulze <joey@debian.org>. # $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $ cd /var/log for LOG in `/usr/sbin/syslogd-listfiles -a` do if [ -f $LOG ]; then # Skip the INN log files (all log files that contain the string "news"): if [ "${LOG}" = "${LOG/news/}" ] ; then /usr/sbin/savelog -p -c 7 $LOG >/dev/null else echo "${LOG} skipped..." >/dev/null fi fi done for LOG in `/usr/sbin/syslogd-listfiles --auth` do if [ -f $LOG ]; then /bin/chown root:adm $LOG /bin/chmod o-rwx $LOG fi done # Restart syslogd # /bin/killall -HUP syslogd
Hi, I did an 'emerge -uD sysklogd' last night. Here is the diff between my adapted /etc/cron.daily/syslog.cron and the emerged /etc/cron.daily/syslog.cron files: Showing differences between /etc/cron.daily/syslog.cron and /etc/cron.daily/._cfg0000_syslog.cron --- /etc/cron.daily/syslog.cron 2004-06-28 14:52:26.000000000 +0200 +++ /etc/cron.daily/._cfg0000_syslog.cron 2004-11-09 21:57:18.000000000 +0100 @@ -8,18 +8,13 @@ # stuff # # Written by Martin Schulze <joey@debian.org>. -# $Id: syslog-cron,v 1.4 2003/11/13 19:07:11 avenj Exp $ +# $Id: syslog-cron,v 1.5 2004/10/03 08:43:14 vapier Exp $ cd /var/log -for LOG in `/usr/sbin/syslogd-listfiles -a` +for LOG in `/usr/sbin/syslogd-listfiles` do if [ -f $LOG ]; then - # Skip the INN log files (all log files that contain the string "news"): - if [ "${LOG}" = "${LOG/news/}" ] ; then - /usr/sbin/savelog -p -c 7 $LOG >/dev/null - else - echo "${LOG} skipped..." >/dev/null - fi + /usr/sbin/savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null fi done
Well, then there is a problem somewhere else .. this is from syslogd-listfiles: ---- # handled by news.daily from INN next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/)); ---- Meaning that because you changed the rules to have 'news.=err', etc, it fails the regex, and list the files. This should fix it: ----- --- syslogd-listfiles.orig 2004-11-10 21:17:52.048267040 +0200 +++ syslogd-listfiles 2004-11-10 21:17:40.279056232 +0200 @@ -84,7 +84,7 @@ ($pat,$file) = split (/\t/,$line); # handled by news.daily from INN - next if (!$opt_news && ($pat =~ /news\.(crit|err|notice)/)); + next if (!$opt_news && ($pat =~ /news\.[=!]*(crit|err|notice)/)); if ($opt_all) { $output{$file} = 1; ----- Can you please apply that, and run these again: # /usr/sbin/syslogd-listfiles -a | grep news # /usr/sbin/syslogd-listfiles --news | grep news # /usr/sbin/syslogd-listfiles -a --news | grep news If that looks good, can you try with original syslog.cron ?
Actually, just: # /usr/sbin/syslogd-listfiles -a | grep news # /usr/sbin/syslogd-listfiles -a --news | grep news should be fine, as without -a (even with --news or --auth), it only lists the '*.*' syslogd rules ...
toon@news toon $ patch syslogd-listfiles patch patching file syslogd-listfiles Hunk #1 succeeded at 84 with fuzz 1. toon@news toon $ ./syslogd-listfiles -a | grep news toon@news toon $ ./syslogd-listfiles --news | grep news toon@news toon $ ./syslogd-listfiles -a --news | grep news /var/log/news/news.notice /var/log/news/news.crit /var/log/news/news.err I'll look at the original syslog.cron later, when I have time. Thanks so far.
What's the status here?
(In reply to comment #5) > removed -a from both listfile calls > > going by the output of `syslogd-listfiles`, it doesnt look like -a should be used by default > > that should fix both your bugs Hmm, pretty old, bug it explains, why my /var/log is getting bigger. Removing the -a from the first line means that now only /var/log/syslog is rotated, but none of the other files. This is because in default syslog.conf only /var/log/syslog contains "*.*" as facility.priority, see also "man syslogd-listfiles". The -a should be added back to the first occurence of syslogd-listfiles. Regards, Christian.
fixed in sysklogd-1.5