Resolve Logrotation Failures Due to Permission Issues with Parent Directory of Logs

Introduction

This document describes resolution of Logrotation failures due to permission issues with log parent directories.

Problem

When we experience disk space issues, we rotate the susceptible logs to avoid future issues.

When you verify logrotation after it has been set up, this error is expected:

[root@localhost logrotate.d]# logrotate /etc/logrotate.conf
error: syslog:1 duplicate log entry for /var/log/boot.log
error: found error in file syslog, skipping
error: skipping "/var/pari/dash/webui/tomcat/logs/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Solution

Two concerns require intervention:

1. The first error suggests  a duplicate entry for the log /var/log/boot.log in file syslog. The solution is to eliminate the duplicate entry.

2. The solution to second error, Parent DIrectory has insecure permissions, is more complicated.

The directory of the logs which we attempt to logrotate is not secure. There are more details in this message.

It is world writable or writable by group which is not "root"

This message indicates that either the parent of the file log has permission that allows the group (which is not root) or others to write.

Both standards are considered as not secure based on the set rules :

a. Change the rules and allow this group (in our case nccmuser) to be permitted to write

Or

b. Remove the write permission to group of the parent directory where log file is present.

This alternative is recommended because nccmuser group is a part of user nccmuser that already has the writable permissions.

It is always advisable to not alter standardized rules set by the operating system.

To avoid this problem, remove write permission for group nccmuser to the logs available to nccmuser:

[root@localhost tomcat]# pwd
/var/pari/dash/webui/tomcat
[root@localhost tomcat]# ls -l
total 140
drwxrwxr-x. 2 nccmuser nccmusers  4096 Oct 11  2021 bin
-rwxrwxr-x. 1 nccmuser nccmusers 18949 Oct 11  2021 BUILDING.txt
drwxrwxr-x. 3 nccmuser nccmusers  4096 Oct 11  2021 conf
-rwxrwxr-x. 1 nccmuser nccmusers  6210 Oct 11  2021 CONTRIBUTING.md
drwxrwxr-x. 2 nccmuser nccmusers  4096 Oct 11  2021 lib
-rwxrwxr-x. 1 nccmuser nccmusers 57092 Oct 11  2021 LICENSE
drwxrwxr-x. 2 nccmuser nccmusers  4096 May 23 11:50 logs
-rwxrwxr-x. 1 nccmuser nccmusers  2333 Oct 11  2021 NOTICE
-rwxrwxr-x. 1 nccmuser nccmusers  3372 Oct 11  2021 README.md
-rwxrwxr-x. 1 nccmuser nccmusers  6898 Oct 11  2021 RELEASE-NOTES
-rwxrwxr-x. 1 nccmuser nccmusers 16507 Oct 11  2021 RUNNING.txt
drwxrwxr-x. 2 nccmuser nccmusers  4096 May 20 20:23 temp
drwxrwxr-x. 6 nccmuser nccmusers   134 Oct 18  2021 webapps
drwxrwxr-x. 3 nccmuser nccmusers    22 Oct 11  2021 work
[root@localhost tomcat]# chmod 755 logs
[root@localhost tomcat]#

When you run logrotate command, you do not see these errors after both remediations are performed:

[root@localhost tomcat]# logrotate /etc/logrotate.conf
[root@localhost tomcat]#