Nevermind my previous idea. It does not work as the /var/log/tomcat9 is group writable by `adm` group. Causes the following problem: :(
# logrotate -f /etc/logrotate.d/tomcat9 error: skipping "/var/log/tomcat9/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. ________________________________ From: Evren Yurtesen Sent: Thursday, April 14, 2022 10:39:58 PM To: Markus Koschany; Utkarsh Gupta Cc: 1008...@bugs.debian.org Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out Hi Markus, You are quite right. The root cause of the issue is Ubuntu dropping privileges of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu package. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not explain the benefits very clearly, but my assumption is an attempt at improving security). As you put it adequately. There are other Debian packages also use rsyslogd. This change in Ubuntu's rsyslog configuration should be effecting those also. I had a quick look using apt-file for packages which put configurations to /etc/rsyslog.d. The ones I checked does not seem to specify a certain user/group in rsyslog config. This cause files to be owned as root:adm and 640 permission in Debian which is the default according to `/etc/rsyslog.conf` and in Ubuntu they would be owned by Ubuntu's default settings automatically as well. Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply removed from rsyslog config of tomcat9? In addition, 'create 640 tomcat adm' and ' su tomcat adm' settings could be removed from logrotate config of tomcat9? One advantage for Debian is that `tomcat` itself can't read the log files anymore. This could be considered more secure. But not that it would help much, as tomcat9 package triple-logs everything. First through syslog to catalina.out, then directly to catalina.YYYY-MM-DD.log in a different format. Of course nowadays a third time through journald. :) Thanks, Evren ________________________________ From: Markus Koschany <a...@debian.org> Sent: Thursday, April 14, 2022 5:31:49 PM To: Utkarsh Gupta; Evren Yurtesen Cc: 1008...@bugs.debian.org Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta: > Hi Emmanuel, > > We have bug #1008668 that's causing problems on the Ubuntu side and is > also reproducible via the Debian package (essentially, it's the same > in both places). Hi Utkarsh, I have been trying to reproduce this problem but on an up-to-date Debian system running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is truncated when I run logrotate -f /etc/logrotate.d/tomcat9 The logrotate file changes the permissions to "su tomcat adm" which is sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu differences when it comes to logrotate and rsyslogd but I suppose that is the underlying issue here. It would be strange if we had to change the permissions to syslog adm because other Debian packages also own log files with their specific users and then does not cause any problems too. Thus said I am not against fixing this for Ubuntu but the current approach seems wrong to me. Regards, Markus
