I'm writing my own logrotate configuration for some web application:
/home/me/public_html/logs/*.log {
daily
missingok
rotate 15
compress
delaycompress
notifempty
create 0660 me www-data
nosharedscripts
}
But running logrotate for these files results in:
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because of bad file mode.
Ignoring logfile2.log because of bad file mode.
Ignoring otherlogfile.log because of bad file mode.
Handling 0 logs
$ ls -l
-rw-rw---- 1 me www-data 893584 Jan 27 16:01 logfile1.log
-rw-rw---- 1 me www-data 395011 Jan 27 16:01 logfile2.log
-rw-rw---- 1 me www-data 4949115 Jan 27 16:01 otherlogfile.log
Is this related to the file permissions of the actual logfiles in the directory of to the permissions specified with create 0660 me www-data?
If I change the filepermissions to -rw-r----- and the create line to
create 0640 me www-data
I get
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because the file owner is wrong (should be root).
Ignoring logfile2.log because the file owner is wrong (should be root).
Ignoring otherlogfile.log because the file owner is wrong (should be root).
Handling 0 logs
My system is a debian testing/jessie.
Ok, stupid situation. The logrotate command has to be executed on the configuration file instead of the log file.
$ sudo logrotate -d -v /etc/logrotate.d/my-app
It seems to be important that the parent directory of the logfile is not world writable (------rw-) and not writable by any non root group (---rw----). Otherwise, you will see:
error: skipping "/home/me/public_html/logs/logfile1.log" because parent
directory has insecure permissions (It's world writable or writable by
group which is not "root") Set "su" directive in config file to tell
logrotate which user/group should be used for rotation.
Related
I am trying to configure an user account using one cloud-init yaml file that include a call to write_files module, like this:
write_files:
#passwd file for vncserver
- path: /home/ubuntu/.vnc/passwd
owner: ubuntu:ubuntu
permissions: '0600'
defer: true
encoding: b64
content: bmtzZGN1eQo=
The file is created as expected, but the problem is that the parent directory is owned by root, and not by ubuntu user.
$ ls -la .vnc/
total 12
drwxr-xr-x 2 root root 4096 Dec 20 16:24 .
drwxr-x--- 5 ubuntu ubuntu 4096 Dec 20 16:24 ..
-rw------- 1 ubuntu ubuntu 8 Dec 20 16:24 passwd
I tried to manually create the /home/ubuntu/.vnc/ directory prior to create the passwd file to be able to set the ownership of the directory, just to find that documentation of write_files does not explain how to create (empty) directories.
I know that I could do this using runcmd module to insert a command like this:
runcmd:
- mkdir --mode 0600 --parents /home/ubuntu/.vnc
- echo bmtzZGN1eQo | base64 -d > /home/ubuntu/.vnc/passwd
- chmod 0600 /home/ubuntu/.vnc/passwd
but this seems to be too complex to do such small task.
It is possible to use write_files module to create directories or change ownership/permission of existing directories?
I'm trying to copy a CSV file into a table by running a simple \copy command in Postgres;
postgres-# \copy solved_at FROM '/Users/funnychef/Downloads/export.csv' DELIMITER AS ',';
Every time I run the command I receive the Permission Denied error:
/Users/funnychef/Downloads/export.csv: Permission denied
The permissions on the file are wide open;
$ ls -ltr ~/Downloads/expor.csv
-rwxrwxrwx 1 funnychef staff 145524 Jul 8 22:15 /Users/funnychef/Downloads/export.csv
I assumed that the issue was related to the _postgres user not having access to the file so I made that user the owner of the file but still receive the error.
$ ls -ltr ~/Downloads/expor.csv
-rwxrwxrwx 1 _postgres staff 145524 Jul 8 22:15 /Users/funnychef/Downloads/export.csv
What am I missing?
Copy your file to /tmp directory and read the csv. The normal settings for /tmp are 1777, which ls shows as drwxrwxrwt
I have a simple script that is unzipping a file to a mounted Windows share. It is normally launched as a Postfix alias when a new email arrives, but even when I run it as root I get a permission denied error.
The script is doing this:
if ( </tmp/*.zip> ){
unzip '</tmp/*.zip>' => '</mnt/win/#1.txt>'
or die "unzip failed: $UnzipError\n";
}
As root I can copy files to /mnt/win without a problem, but when this script is launched by Postfix it fails with permission denied.
/etc/fstab looks like:
//srvr1/tmp /mnt/win cifs credentials=/root/.smbcredentials,iocharset=iso8859-1,sec=ntlm 0 0
ls -ld looks like:
drwxr-xr-x 2 root root 196608 Jul 15 17:24 /mnt/win
Files produced by the script are nobody/nogroup, but I'm not sure how I change the permissions of /mnt/win to allow nobody/nogroup to read/write.
cmhod -R ugo+RW /mnt/win
Also gives permission denied. Is there a way to change permissions in /etc/fstab to allow nobody/nogroup?
You need to use this command to change the permissions of folder & files inside it.
sudo chmod -R R+X /mnt/win
If you want to change the user of the file as well which is nobody/nogroup rightnow, you can use this commands :
sudo chown -R username.username /mnt/win/
Here you can choose any user's name e.g. mine is mukesh
sudo chown -R mueksh.mukesh /mnt/win/
i'm on CentOS 6.5 now,
installed mod_evasive some time ago but email notify and logging never worked...
into messages log i have many lines like this...
mod_evasive[4548]: Couldn't open logfile /var/log/httpd/evasive/dos-157.xxx.xxx.xxx: Permission denied
on CentOS I thought that the owner of the directory /var/log/httpd/evasive should be "apache" and that is with 755..
no way...
then, mailx is already installed and updated... someone says to see into mod_evasive20.c but i can't find this mod_evasive20.c file on my CentOS... where can be? is it possible to send with sendmail instead of mailx? thanks
On CentOS /var/log/httpd has permission 700 and is owned by root, so you need to move /var/log/httpd/evasive to /var/log/evasive and do:
chown 0:apache /var/log/evasive
chmod 770 /var/log/evasive
If you use SELinux:
semanage fcontext --add -t httpd_sys_rw_content_t "/var/log/evasive(/.*)?"
restorecon -r /var/log/evasive
And add this line to /etc/httpd/conf.d/mod_evasive.conf:
DOSLogDir /var/log/evasive
Ok, you're facing two problems, first file permission to mod_evasive logdir and second the mail command isn't found.
1) file permission to "DOSLogDir"
You must ensure the apache's user has execute and write permissions through the whole directory tree to target "DOSLogDir".
See this example from an ubuntu system
root#ubuntu:/var/log# ll
drwxr-xr-x 3 root adm 4096 Mar 10 14:06 apache2/
root#ubuntu:/var/log# ll apache2
drwxrwxr-x 2 root www-data 4096 Mar 10 14:25 mod_evasive/
root#ubuntu:/var/log# ll apache2/mod_evasive/
-rw-r--r-- 1 www-data www-data 5 Mar 10 14:25 dos-172.16.245.1
-rw-r--r-- 1 www-data www-data 5 Mar 10 14:19 dos-172.16.245.129
2) access mail binary
The mail binary is defined in mod_evasive20.c indeed, row 45 :
#define MAILER "/bin/mail %s"
Try to get a symlink on mailx to be used by mod_evasive
ln -s $(which mailx) /bin/mail
understood,
for whom have the same problem hope this helps...
if mod_evasive is not able to write on the dir it doesn't even send the email
so commented out the DOSLogDir and so it writes to tmp...
don't know if can use another directory but for the moment problem is solved
I had faced the same issue while creating new project into the centos7.
ErrorLog /var/log/httd/mydomain_error.log
CustomLog /var/log/httpd/mydomain_access.log
Solution:
You need to disable the SELinux and Your issue will be resolved.
FOr that you need to follow the following steps.
1) Check the SELinux Status
sestatus
OutPut will be like this
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
2) Disable SELinux
You can temporarily change the SELinux mode from targeted to permissive with the following command:
sudo setenforce 0
You can see more here : https://linuxize.com/post/how-to-disable-selinux-on-centos-7/
I have a small script that executes fine from my home folder but when moved to a different folder on different partition (EXT4)
$ ls -lah ./build.sh
-rwxrwxr-x 1 olmec(me) olmec(me) 510 Oct 31 20:00 ./build.sh
$ ./build.sh
bash: ./build.sh: Permission denied
I have tried chmod 777 build.sh but no difference.
The script is in folder /media/data/source
Data drive partition is mounted in FStab as
UUID=affd0ac6-f3da-4f88-ac22-65d94dc5da8c /media/data ext4 user,user 0 0
Resolved by modifying FStab mount command
UUID=affd0ac6-f3da-4f88-ac22-65d94dc5da8c media/data ext4 auto,users,exec 0 0
Most probably it's on a volume which was mounted with the noexec option, I'd check that. If that's not the case, you can still try to find out from strace bash yourscript's output.