Hi, all!
vdsm-logrotate kept reporting errors like "error: skipping "/var/log/core/core.3150.1321682189.dump" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
This was caused by setting /var/log/core world-writable in vdsm.spec.in. After I simply added "su root root" to the /var/log/core/*.dump rotation configuration, it seems to be solved now.
So is this the way to fix the problem? Or any better else?
On Fri, Dec 02, 2011 at 03:16:15PM +0800, Hunt Xu wrote:
Hi, all!
vdsm-logrotate kept reporting errors like "error: skipping "/var/log/core/core.3150.1321682189.dump" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
This was caused by setting /var/log/core world-writable in vdsm.spec.in. After I simply added "su root root" to the /var/log/core/*.dump rotation configuration, it seems to be solved now.
So is this the way to fix the problem? Or any better else?
Vdsm configures a world-writable /var/log/core/ in order to help debugging serious bugs in RHEV nodes (i.e. libvirtd/qemu/python crash). We were aware of the problems in this approach, and were ready to pay the price in the product RHEV. However, this may make less sense for a community project: if someone wants to keep his qemu core dumps, he can configure this himself, or use abrt or whatever.
However, I am not aware of the specific error that you are seeing. Which vdsm are you using? which kernel? where is the error log shown? What is your exact patch to vdsm/vdsm-logrotate.conf?
And most interesting: what had its core dumped? why?
Regards, Dan.
On Fri, Dec 2, 2011 at 9:30 PM, Dan Kenigsberg danken@redhat.com wrote:
However, I am not aware of the specific error that you are seeing. Which vdsm are you using? which kernel? where is the error log shown? What is your exact patch to vdsm/vdsm-logrotate.conf?
on Fedora 16 machine vdsm: vdsm.4.9.0-0.200.g2fc4e63.fc16.x86_64 logrotate: logrotate-3.8.0-3.fc16.x86_64. kernel: "uname -r" shows 3.1.0-0.rc6.git0.3.fc16.x86_64
I also generated a patch, attached. The errors were reported by sendmail to /var/spool/mail/root
And most interesting: what had its core dumped? why?
I am still not clear about why. But logrotate kept reporting errors without the su directive used even though nothing under /var/log/core.
On Wed, Dec 07, 2011 at 11:09:13AM +0800, Hunt Xu wrote:
On Fri, Dec 2, 2011 at 9:30 PM, Dan Kenigsberg danken@redhat.com wrote:
However, I am not aware of the specific error that you are seeing. Which vdsm are you using? which kernel? where is the error log shown? What is your exact patch to vdsm/vdsm-logrotate.conf?
on Fedora 16 machine vdsm: vdsm.4.9.0-0.200.g2fc4e63.fc16.x86_64 logrotate: logrotate-3.8.0-3.fc16.x86_64. kernel: "uname -r" shows 3.1.0-0.rc6.git0.3.fc16.x86_64
I also generated a patch, attached. The errors were reported by sendmail to /var/spool/mail/root
And most interesting: what had its core dumped? why?
I am still not clear about why. But logrotate kept reporting errors without the su directive used even though nothing under /var/log/core.
Thanks for your patch. Would you be kind to post it on our gerrit.ovirt.org?
The patch is obviously helpful for new logrotate, but it is obstrusive to older ones. Could you make an autoconf trick so upstream works well for both?
Regards, Dan.
On Fri, Dec 02, 2011 at 03:16:15PM +0800, Hunt Xu wrote:
Hi, all!
vdsm-logrotate kept reporting errors like "error: skipping "/var/log/core/core.3150.1321682189.dump" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
This was caused by setting /var/log/core world-writable in vdsm.spec.in. After I simply added "su root root" to the /var/log/core/*.dump rotation configuration, it seems to be solved now.
So is this the way to fix the problem? Or any better else?
That is probably the correct solution - logrotate has recently changed to improve security. From Debian's /usr/share/doc/logrotate/NEWS.Debian.gz:
logrotate (3.8.0-1) experimental; urgency=low
Please note that this update changes the behaviour of logrotate:
Logrotate now skips directories which are world writable or writable by group which is not "root" unless the (new) "su" directive is used.
On Tue, Dec 06, 2011 at 01:21:09PM -0700, dann frazier wrote:
On Fri, Dec 02, 2011 at 03:16:15PM +0800, Hunt Xu wrote:
Hi, all!
vdsm-logrotate kept reporting errors like "error: skipping "/var/log/core/core.3150.1321682189.dump" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation."
This was caused by setting /var/log/core world-writable in vdsm.spec.in. After I simply added "su root root" to the /var/log/core/*.dump rotation configuration, it seems to be solved now.
So is this the way to fix the problem? Or any better else?
That is probably the correct solution - logrotate has recently changed to improve security. From Debian's /usr/share/doc/logrotate/NEWS.Debian.gz:
logrotate (3.8.0-1) experimental; urgency=low
Please note that this update changes the behaviour of logrotate:
Logrotate now skips directories which are world writable or writable by group which is not "root" unless the (new) "su" directive is used.
Thanks, I was not aware of this.
vdsm-devel@lists.stg.fedorahosted.org