logrotate doesn't honor file ACL

jdoeconsulting · October 30, 2013, 12:09pm

I’ve set an extended file acl, through setfacl, granting a user read rights
to /var/log/messages This works like a charm.
However every time the file is rotated through logrotate the extended file
acl gets lost.
In /etc/logrotate.d/syslog the following is defined;

/var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var/log/firewall /var/log/acpid /var/log/NetworkManager {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload > /dev/null
endscript
}

This tells logrotate to create a new file with permissions 640 with owner root:root
I’m guessing this is what causes the extended acl to be dropped. As far I know logrotate
should keep the existing permissions of the file when creating the new one, or am I wrong?
What needs to be done to keep the existing config for how /var/log/messages is rotated while
keep the extended acl permission as well?

Thanks

smflood · October 30, 2013, 1:53pm

On 30/10/2013 10:14, jdoeconsulting wrote:
[color=blue]

I’ve set an extended file acl, through setfacl, granting a user read
rights
to /var/log/messages This works like a charm.
However every time the file is rotated through logrotate the extended
file
acl gets lost.
In /etc/logrotate.d/syslog the following is defined;

/var/log/warn /var/log/messages /var/log/allmessages
/var/log/localmessages /var/log/firewall /var/log/acpid
/var/log/NetworkManager {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload > /dev/null
endscript
}

This tells logrotate to create a new file with permissions 640 with
owner root:root
I’m guessing this is what causes the extended acl to be dropped. As far
I know logrotate
should keep the existing permissions of the file when creating the new
one, or am I wrong?
What needs to be done to keep the existing config for how
/var/log/messages is rotated while
keep the extended acl permission as well?[/color]

Whilst you can use the logrotate “create” directive to set the mode,
owner, and/or group of the new log file (see below) this doesn’t (re)set
the ACLs.

–begin–
create mode owner group
Immediately after rotation (before the postrotate script is run)
the log file is created (with the same name as the log file just
rotated). mode specifies the mode for the log file in octal
(the same as chmod(2)), owner specifies the user name who will
own the log file, and group specifies the group the log file
will belong to. Any of the log file attributes may be omitted,
in which case those attributes for the new file will use the
same values as the original log file for the omitted attributes.
This option can be disabled using the nocreate option.
—end—

What you can do instead (or as well) is use the “postrotate” directive
to (re)set the ACLs

–begin–
postrotate/endscript
The lines between postrotate and endscript (both of which must
appear on lines by themselves) are executed (using /bin/sh)
after the log file is rotated. These directives may only appear
inside a log file definition. Normally, the absolute path to the
log file is passed as first argument to the script. If shared-
scripts is specified, whole pattern is passed to the script.
See also prerotate. See sharedscripts and nosharedscripts for
error handling.
—end—

So for the example you gave, add your setfacl command(s) above the
“endscript” directive which will give you something like

–begin–
/var/log/warn /var/log/messages /var/log/allmessages
/var/log/localmessages /var/log/firewall /var/log/acpid
/var/log/NetworkManager {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload > /dev/null
/path/to/setfacl …
endscript
}
—end—

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

ab1 · October 30, 2013, 3:07pm

Looks like this may be fixed in newer code too, give or take in logrotate
3.7.9. It may be worth trying in case these changes have been backported
into the latest version that SLES ships, though I do not see it in the
changelog on my SLES 11 SP3 system currently:

http://svn.fedorahosted.org/svn/logrotate/tags/r3-8-7/CHANGES

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

jdoeconsulting · October 30, 2013, 4:07pm

Thanks Simon,

I thought about going that route to reset the ACL in the postrotate script.
But just as ab points out I noticed when searching on this one that there
was a bug report for this issue in the Red Hat bugzilla.
Just as ab notes it seems the fix is not yet in the SLES distro so SLES
have the same issue.

I’ll go with the postrotate script to fix the issue at hand.

Thanks

jdoeconsulting · October 30, 2013, 4:09pm

Yes I noticed that.
I’ll use the postrotate script to fix the issue at hand.

Thanks!

smflood · October 30, 2013, 4:56pm

On 30/10/2013 14:14, jdoeconsulting wrote:
[color=blue]

I thought about going that route to reset the ACL in the postrotate
script.
But just as ab points out I noticed when searching on this one that
there
was a bug report for this issue in the Red Hat bugzilla.
Just as ab notes it seems the fix is not yet in the SLES distro so SLES
have the same issue.[/color]

You didn’t say which version of SLES you’re using but checking packages
and updates for SLES11 SP1-SP3 it seems the version of logrotate SUSE
are using is version 3.7.7 with some security fixes backported.

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

jdoeconsulting · October 31, 2013, 10:34am

Simon,

I’m sorry I missed informing you that I was running with SLES 11 SP2.

Anyhow I’ve implemented the fix by using the postrotate script to run
the setfacl command and it works just fine.

Thanks!

smflood · October 31, 2013, 12:58pm

On 31/10/2013 08:34, jdoeconsulting wrote:
[color=blue]

I’m sorry I missed informing you that I was running with SLES 11 SP2.[/color]

No problem. In this case it doesn’t seem to make a difference (SLES11
SPx = logrotate 3.7.7) but most of the time it’s important to note.
[color=blue]

Anyhow I’ve implemented the fix by using the postrotate script to run
the setfacl command and it works just fine.[/color]

That’s good to hear, thanks for the report back.

Simon
SUSE Knowledge Partner

Topic		Replies	Views
How to configure syslog-ng/SLES to maintain file permissions SLES Configure-Administer	2	180	May 31, 2012
logrotate error SLES Configure-Administer	4	258	July 14, 2015
Issue regarding Daily Rotating Log file SLES Configure-Administer	3	178	July 27, 2015
Logrotate in /etc/cron.daily SLES Configure-Administer	15	415	November 7, 2017
How to enable logrotate SLES Configure-Administer	7	386	October 19, 2017

logrotate doesn't honor file ACL

HTH.

If you find this post helpful and are logged into the web interface, please show your appreciation and click on the star below. Thanks.

HTH.

If you find this post helpful and are logged into the web interface, please show your appreciation and click on the star below. Thanks.

That’s good to hear, thanks for the report back.

If you find this post helpful and are logged into the web interface, please show your appreciation and click on the star below. Thanks.

Related Topics

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.