"insecure permissions" error fron logrotate cron task

[jpkorva]

On Centos 7, the following error appears when using telegraf 0.10.2:

From: Anacron [mailto:root@example.com]
To: root@example.com
Subject: Anacron job 'cron.daily' on example.com

/etc/cron.daily/logrotate:

error: skipping "/var/log/telegraf/telegraf.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

"chmod 755 /var/log/telegraf" fixes the issue.

[sparrc]

sounds like maybe we need to set the user here in the config file: https://github.com/influxdata/telegraf/blob/master/etc/logrotate.d/telegraf

[sparrc]

are you running the telegraf service as root?

[jpkorva]

It is running as user telegraf. Basically my setup is "yum install http://get.influxdb.org/telegraf/telegraf-0.10.3-1.x86_64.rpm" + modified telegraf.conf + "systemctl start telegraf".

Btw, /var/log/telegraf permissions got reset again when I upgraded to 0.10.3. Is there actually any need to have the directory group writable, i.e. would it be simplest to do "chmod g-w"?

[sparrc]

hm, no it really doesn't, this looks like a permissions issue with the rpm package:

[root@localhost vagrant]# ll /var/log | grep telegraf
drwxrwxr-x  2 telegraf telegraf      6 Feb 19 00:15 telegraf
[root@localhost vagrant]# ll /etc | grep telegraf
drwxr-xr-x   3 root root     43 Feb 19 17:59 telegraf

[sparrc]

same thing with .deb:

root@vagrant-ubuntu-vivid-64:~# ll /var/log | grep telegraf
drwxr-xr-x  2 telegraf  telegraf   4096 Feb 19 00:15 telegraf/
root@vagrant-ubuntu-vivid-64:~# ll /etc | grep telegraf
drwxr-xr-x  3 root root    4096 Feb 19 00:22 telegraf/

cc @rossmcdonald is /var/log/telegraf supposed to be owned by telegraf:telegraf?

[sparrc]

FWIW, in general the practice seems rather inconsistent:

# ll /var/log
total 456
drwxrwxr-x 12 root      syslog     4096 Feb 19 18:21 ./
drwxr-xr-x 13 root      root       4096 Feb 19 00:21 ../
-rw-r--r--  1 root      root       5031 Feb 19 18:21 alternatives.log
drwxr-xr-x  2 root      root       4096 Sep 17 12:11 apt/
-rw-r-----  1 syslog    adm       18747 Feb 19 18:21 auth.log
-rw-r--r--  1 root      root        327 Feb 19 00:21 boot.log
-rw-------  1 root      utmp          0 Sep 17 07:23 btmp
drwxr-xr-x  2 root      root       4096 Feb 19 00:21 chef/
-rw-r--r--  1 syslog    adm       74225 Feb 19 00:21 cloud-init.log
-rw-r--r--  1 root      root       6323 Feb 19 00:21 cloud-init-output.log
drwxr-xr-x  2 root      root       4096 Sep  1 02:46 dist-upgrade/
-rw-r--r--  1 root      root      98921 Feb 19 18:21 dpkg.log
drwxr-xr-x  2 root      root       4096 Sep 17 07:21 fsck/
drwxr-xr-x  2 influxdb  influxdb   4096 Feb 19 08:02 influxdb/
-rw-r-----  1 syslog    adm       47289 Feb 19 18:21 kern.log
drwxr-xr-x  2 landscape root       4096 Feb 19 00:21 landscape/
-rw-rw-r--  1 root      utmp     292584 Feb 19 18:21 lastlog
drwxr-x---  2 mysql     adm        4096 Feb 19 18:21 mysql/
drwxr-x---  2 puppet    puppet     4096 Mar 31  2015 puppet/
-rw-r-----  1 syslog    adm      119009 Feb 19 18:21 syslog
drwxr-xr-x  2 telegraf  telegraf   4096 Feb 19 00:15 telegraf/
drwxr-x---  2 root      adm        4096 Jun 22  2015 unattended-upgrades/
-rw-rw-r--  1 root      utmp       3456 Feb 19 18:13 wtmp

1. chef is root:root
2. puppet is puppet:puppet
3. landscape is landscape:root
4. mysql is mysql:adm

[rossmcdonald]

@sparrc Yes, the owner/group are set in the post-install script here. It can be changed if needed, though that's how InfluxDB and Kapacitor have it set as well.

I'm not sure why the RPM has /var/log/telegraf as group writable, though... I can see if there's a bug in the packaging script or maybe FPM.

[sparrc]

oh right, I didn't notice that