I found one more packaging issue that becomes visible once the log directory permissions are corrected.
After changing `/var/log/jetty9` to the permissions required for rsyslog (`0770 jetty:adm`), the package's current logrotate configuration no longer works. Running: ``` sudo logrotate -f /etc/logrotate.d/jetty9 ``` fails with: ``` error: skipping "/var/log/jetty9/jetty-console.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. ``` This is expected behaviour of logrotate. When the parent directory is writable by a non-root group, logrotate refuses to operate unless an explicit `su` directive is configured. After adding: ``` su jetty adm ``` to the logrotate configuration, rotation succeeds normally. Combined with the previously reported issue regarding: ``` create 640 jetty adm ``` (which should be `create 660 jetty adm` so that rsyslog can continue writing after rotation), the package's logrotate configuration also requires the appropriate `su` directive. In other words, if the package is fixed by making `/var/log/jetty9` writable by the `adm` group (which is necessary for rsyslog), the logrotate configuration must be updated accordingly as well. Otherwise log rotation will fail with the "parent directory has insecure permissions" error. On Sat, 4 Jul 2026 20:32:44 +0300 <[email protected]> wrote: > I have found an additional packaging issue related to the permissions used > for the Jetty log directory and log rotation. > > ### 1. `/var/log/jetty9` should be owned by `jetty:adm` with mode `0770` > > Even if the ownership problem caused by `LogsDirectory=` is addressed, the > directory permissions themselves are still insufficient for the intended > logging design. > > `rsyslog` runs as: > > ``` > User: syslog > Group: syslog > Supplementary groups: adm > ``` > > Therefore it does not need to become the owner of `/var/log/jetty9`, but it > **does** require write permission through the `adm` group in order to create > new log files. > > With the current packaging, the directory eventually becomes owned by > `jetty:jetty` with mode `0750`, which completely prevents `rsyslog` from > creating `jetty-console.log`. > > Even if the ownership is corrected back to `jetty:adm`, mode `0750` still > leaves the group without write permission. > > For the logging configuration installed by the package to work correctly, > the directory needs to be writable by members of the `adm` group. In > practice this means ownership `jetty:adm` together with mode `0770`. > > ### 2. The logrotate configuration recreates the file with insufficient > permissions > > There is another independent issue in the package's logrotate configuration. > > The installed configuration currently contains: > > ``` > create 640 jetty adm > ``` > > After every rotation, logrotate recreates `jetty-console.log` as: > > ``` > -rw-r----- > jetty:adm > ``` > > At this point `rsyslog` is no longer the file owner, and accesses the file > through its supplementary `adm` group membership. > > However, mode `0640` grants the group only read permission, so `rsyslog` can > no longer append new log messages after the file has been recreated. > > Changing the directory permissions alone is therefore not sufficient to fix > the problem. > > The recreated log file also needs to remain writable by the `adm` group.

