09 November 2015, Monday

logrotate パーミッション エラー

Raspberry Piのlogrotateがエラーを吐き出すようになってしばらく経った。最初は1日数行だったものが、とうとう10行以上ものエラーに…

エラーの状況

/etc/cron.daily/logrotate:
error: skipping "/var/log/aptitude" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/dpkg.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/alternatives.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/syslog" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.info" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.warn" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.err" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/mail.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/daemon.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/kern.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/auth.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/user.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/lpr.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/cron.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/debug" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/messages" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/wtmp" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/var/log/btmp" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

ログファイルの権限がおかしいとか何とか。/var/log内のファイルの権限を確認してみると、ログファイルの保有者が rootではなくadmやutmpというユーザになっているところが怪しそう(着色部)。

# ls -la /var/log
合計 120
drwxrwxrwt 11 root  root     560 11月  9 06:25 .
drwxr-xr-x 16 root  root    4096  5月 15  2013 ..
drwxr-xr-x  2 root  root      60 11月  9 07:34 ConsoleKit
drwxr-x---  2 root  adm      120 11月  9 00:31 apache2
drwxr-xr-x  2 root  root      40 11月  9 00:31 apt
-rw-r-----  1 root  adm     6088 11月  9 07:40 auth.log
-rw-r--r--  1 root  utmp       0 11月  9 00:31 btmp
-rw-r-----  1 root  adm     4062 11月  9 07:34 daemon.log
-rw-r-----  1 root  adm     1009 11月  9 00:31 debug
-rw-r--r--  1 root  adm    12079 11月  9 00:31 dmesg
drwxr-xr-x  2 root  root      40 11月  9 00:31 fsck
-rw-r-----  1 root  adm    19003 11月  9 00:31 kern.log
-rw-r--r--  1 root  utmp  292292 11月  9 07:34 lastlog
-rw-r-----  1 root  adm        0 11月  9 00:31 lpr.log
-rw-r-----  1 root  adm        0 11月  9 00:31 mail.err
-rw-r-----  1 root  adm      108 11月  9 00:31 mail.info
-rw-r-----  1 root  adm      108 11月  9 00:31 mail.log
-rw-r-----  1 root  adm        0 11月  9 00:31 mail.warn
-rw-r-----  1 root  adm    18987 11月  9 06:25 messages
drwxr-xr-x  2 root  adm       40 11月  9 00:31 mrtg
drwxr-xr-x  2 root  root     100 11月  9 00:31 news
drwxr-xr-x  2 ntp   ntp       40 11月  9 00:31 ntpstats
drwxr-xr-x  3 root  adm      100 11月  9 00:31 samba
drwxr-xr-x  2 proxy proxy     40 11月  9 00:31 squid3
-rw-r-----  1 root  adm      731 11月  9 07:34 syslog
-rw-r-----  1 root  adm    23984 11月  9 00:31 syslog.1
-rw-r-----  1 root  adm        0 11月  9 00:31 user.log
-rw-r--r--  1 root  utmp    6912 11月  9 07:34 wtmp

エラーの修正

logrotateの設定ファイルに、実行時の権限変更設定を追加すれば良いと、Google検索で調べた限りではわかったため、次のように設定ファイルを修正

/etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
 
# keep 4 weeks worth of backlogs
rotate 4
 
# create new (empty) log files after rotating old ones
create
 
# uncomment this if you want your log files compressed
#compress
 
# packages drop log rotation information into this directory
include /etc/logrotate.d
 
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    su root utmp
    rotate 1
}
 
/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    su root utmp
    rotate 1
}
 
# system-specific logs may be configured here

 

/etc/logrotate.d/apache2
/var/log/apache2/*.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 root adm
        su root adm
        sharedscripts
        postrotate
                /etc/init.d/apache2 reload > /dev/null
        endscript
        prerotate
                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
                        run-parts /etc/logrotate.d/httpd-prerotate; \
                fi; \
        endscript
}

 

/etc/logrotate.d/aptitude
/var/log/aptitude {
  rotate 6
  monthly
  compress
  missingok
  notifempty
  su root adm
}

 

/etc/logrotate.d/dpkg
/var/log/dpkg.log {
        monthly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
        su root utmp
}
/var/log/alternatives.log {
        monthly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
        su root utmp
}

 

/etc/logrotate.d/rsyslog
/var/log/syslog
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        su root adm
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}
 
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        su root adm
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}

この設定でエラーは出なくなったが、本当にこれで良いのかどうか分からない。

logrotateのmanファイルでの説明は

LOGROTATE(8)             System Administrator's Manual            LOGROTATE(8)
 
NAME
       logrotate ‐ rotates, compresses, and mails system logs
 
SYNOPSIS
       logrotate [-dv] [-f|--force] [-s|--state file] config_file ..
 
 〜 中略 〜
 
       su user group
              Rotate log files set under this user and group instead of  using
              default  user/group (usually root). user specifies the user name
              used for rotation and group specifies the group used  for  rota‐
              tion.  If  the  user/group you specify here does not have suffi‐
              cient privilege to make files with the ownership  you've  speci‐
              fied in a create instruction, it will cause an error.

CATEGORY : Linuxサーバ  
POSTED BY: r271-635 DATE: 2015年11月 9日 |