Logrotate issues with CentOS 7.1 packaged Kolab 3.4

Eric Renfro psi-jack at linux-help.org
Wed Oct 28 01:16:31 CET 2015


So, after installing Kolab and after logrotate started actually sending me mail for root, 
since it was not initially... I'm getting these emails nightly when logrotate runs:

/etc/cron.daily/logrotate:

error: skipping "/var/log/iRony/console" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/errors" because parent directory has insecure permissions 
(It's world writable or writable by group which is not "root") Set "su" directive in config file 
to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/imap" because parent directory has insecure permissions 
(It's world writable or writable by group which is not "root") Set "su" directive in config file 
to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/ldap" because parent directory has insecure permissions 
(It's world writable or writable by group which is not "root") Set "su" directive in config file 
to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/sendmail" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/sieve" because parent directory has insecure permissions 
(It's world writable or writable by group which is not "root") Set "su" directive in config file 
to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/smtp" because parent directory has insecure permissions 
(It's world writable or writable by group which is not "root") Set "su" directive in config file 
to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/sql" because parent directory has insecure permissions (It's 
world writable or writable by group which is not "root") Set "su" directive in config file to 
tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/iRony/userlogins" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-freebusy/freebusy.log" because parent directory has 
insecure permissions (It's world writable or writable by group which is not "root") Set "su" 
directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/console" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/errors" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/imap" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/ldap" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/sendmail" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/sieve" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/smtp" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/sql" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kolab-syncroton/userlogins" because parent directory has 
insecure permissions (It's world writable or writable by group which is not "root") Set "su" 
directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/console" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/errors" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/imap" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/ldap" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/sendmail" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/sieve" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/smtp" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/sql" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/roundcubemail/userlogins" because parent directory has insecure 
permissions (It's world writable or writable by group which is not "root") Set "su" directive 
in config file to tell logrotate which user/group should be used for rotation.

Looks like the packaged logrotate.d files for Kolab is broken, and needs some proper fine-
tuning. 

For example:

/etc/logrotate.d/iRony:

/var/log/iRony/console /var/log/iRony/errors /var/log/iRony/imap /var/log/iRony/ldap 
/var/log/iRony/sendmail /var/log/iRony/sieve /var/log/iRony/smtp /var/log/iRony/sql 
/var/log/iRony/userlogins {
    missingok
    compress
    notifempty
    size 30k
    create 0660 apache apache
}

Points to /var/log/iRony:

drwxrwx---.  2 apache apache     19 Oct 21 11:40 .
drwxr-xr-x. 20 root   root     4096 Oct 27 11:10 ..
-rw-r--r--.  1 apache apache 197970 Oct 27 20:01 errors

So, technically it's correct in that these log files are writable to someone other than root, 
because they're owned by the Apache user.

Since these files/directories are owned by apache:apache, the logrotate.d needs to 
resemble that with a su line like so:

su apache apache

This insures that it's handled as the apache user, and removes these errors (or should, I'll 
be trying it for tonight's run).

Eric Renfro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20151027/b98cc41f/attachment.html>


More information about the users mailing list