Howto Fix/Solve Logrotate Complains About Insecure Permissions on Parent Directory on CentOS/RHEL Linux Systems
In this post, I’ll solve an annoying error appeared when I enabled logrotate on one of my apps running on CentOS 7 Linux systems. By default on CentOS/RHEL 7, the parent permissions on your log directories play a vital role in whether or not logrotate will be able/willing to process your logs.
If your permissions allow writes by a group that isn’t root, you may see the following error when logrotate tries to run:
# /usr/sbin/logrotate /etc/logrotate.conf
error: skipping "/home/mimastech.com/log/cron.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/home/mimastech.com/log/development.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Here’s my logrotate configuration file that caused this error:
# cat /etc/logrotate.d/mimastech.com # Log Rotation for mimastech Applications
/home/mimastech.com/log/*.log {
weekly
missingok
rotate 8
compress
dateext
delaycompress
notifempty
copytruncate
}
To resolve this problem, and have logrotate work properly again, you also have to add the su $user $group
configuration. This causes logrotate to actually su -
to that user and execute all logrotate actions as that user.
# cat /etc/logrotate.d/mimastech.com # Log Rotation for mimastech Applications
/home/mimastech.com/log/*.log {
weekly
missingok
rotate 8
compress
dateext
delaycompress
notifempty
copytruncate su mimastech mimastech
}
By adding a su mimastech mimastech
in the example above, the same as the create config, logrotate can process the logs again with parent directories that have group permissions that allow groups other than root to write to those directories.
Now, re-run the logrotate command to test your new configuration, it shows no output, and we checked the exit status of the command also as follow:
# /usr/sbin/logrotate /etc/logrotate.conf
# echo $?
0
See you in other articles.
If You Appreciate What We Do Here On Mimastech, You Should Consider:
- Stay Connected to: Facebook | Twitter | Google+
- Support us via PayPal Donation
- Subscribe to our email newsletters.
- Tell other sysadmins / friends about Us - Share and Like our posts and services
We are thankful for your never ending support.