Bug#399930: exim4: logrotation race condition with exim writing to logs

CaT cat at zip.com.au
Wed Nov 22 23:18:41 CET 2006 

Package: exim4
Version: 4.50-8sarge2
Severity: normal


Yesterday exim died with the following error in the panic log:

2006-11-22 06:25:23 +1100 Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=102 egid=102

This was a fairly busy server so by the time I managed to get to it 20k
messages got backed up. Having thought about it though the only way I
could see the above happening would be due to a race condition in
logrotate between logrotates create option fulfilling its duties and
exim trying to deliver/accept an email. I think it would've gone a
little like this:

logrotate rotates the logs
logrotate creates a new log file due to the create option
exim attempts to log to the new logfile
exim fails to log as logfile is owned root.adm (no write permissions)
exim panics and bails
logrotate chowns logfile to Debian-exim.adm
logrotate chmods logfile 640

It was a slim chance but I cannot think of what else might have
happened. The obvious fix, as far as I can see, was to replace the create
option with nocreate. It's not necessary as exim will automatically
attempt to create the logfile if it's missing and since the log dir is
owned by Debian-exim and exim has write permissions it'll succeed. The dir
is also group sticky so the new file will automatically get group-owned
to adm. About the only thing that'll be lacking, I think, is the group
read permission but that's better then no mail server IMO.

If I'm wrong then I'm lost as to an explanation for what happened.

This was with a custom build of 4.62-1, btw though I have checked and
the logrotation is thesame for the standard sarge build.

-- Package-specific info:
Exim version 4.50 #1 built 11-Apr-2006 12:29:22
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.16.29
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages exim4 depends on:
ii  exim4-base                  4.50-8sarge2 support files for all exim MTA (v4
ii  exim4-daemon-light          4.50-8sarge2 lightweight exim MTA (v4) daemon

-- no debconf information

More information about the Pkg-exim4-maintainers mailing list