Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

Evren Yurtesen Evren.Yurtesen at abo.fi
Tue May 10 08:50:24 BST 2022 

Hi Markus,


Please ignore my previous message about logrotate. It was my mistake that it did not work.


Would it be an acceptable solution if the fileOwner setting is removed from /etc/rsyslog.d/tomcat9.conf and su setting is removed from /etc/logrotate.d/tomcat9 file which are shipped with tomcat9 package?


This is the way rsyslog/logrotate configuration is done for some other packages that I checked.


Thanks,

Evren

________________________________
From: Evren Yurtesen
Sent: Wednesday, April 20, 2022 12:18:57 PM
To: Markus Koschany; Utkarsh Gupta
Cc: 1008668 at bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out


Nevermind my previous idea. It does not work as the /var/log/tomcat9 is group writable by `adm` group. Causes the following problem: :(


# logrotate -f /etc/logrotate.d/tomcat9
error: skipping "/var/log/tomcat9/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.


________________________________
From: Evren Yurtesen
Sent: Thursday, April 14, 2022 10:39:58 PM
To: Markus Koschany; Utkarsh Gupta
Cc: 1008668 at bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out


Hi Markus,


You are quite right. The root cause of the issue is Ubuntu dropping privileges of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu package.


https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not explain the benefits very clearly, but my assumption is an attempt at improving security).


As you put it adequately. There are other Debian packages also use rsyslogd. This change in Ubuntu's rsyslog configuration should be effecting those also. I had a quick look using apt-file for packages which put configurations to /etc/rsyslog.d. The ones I checked does not seem to specify a certain user/group in rsyslog config.  This cause files to be owned as root:adm and 640 permission in Debian which is the default according to `/etc/rsyslog.conf` and in Ubuntu they would be owned by Ubuntu's default settings automatically as well.


Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply removed from rsyslog config of tomcat9? In addition,  'create 640 tomcat adm' and ' su tomcat adm' settings could be removed from logrotate config of tomcat9?


One advantage for Debian is that `tomcat` itself can't read the log files anymore. This could be considered more secure. But not that it would help much, as tomcat9 package triple-logs everything. First through syslog to catalina.out, then directly to catalina.YYYY-MM-DD.log in a different format. Of course nowadays a third time through journald. :)


Thanks,
Evren

________________________________
From: Markus Koschany <apo at debian.org>
Sent: Thursday, April 14, 2022 5:31:49 PM
To: Utkarsh Gupta; Evren Yurtesen
Cc: 1008668 at bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta:
> Hi Emmanuel,
>
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).

Hi Utkarsh,

I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run

        logrotate -f /etc/logrotate.d/tomcat9

The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.

Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.

Regards,

Markus


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220510/02d2fc82/attachment-0001.htm>

More information about the pkg-java-maintainers mailing list