Howto Fix/Solve Logrotate Complains About Insecure Permissions on Parent Directory on CentOS/RHEL Linux Systems

undefined

In this post, I’ll solve an annoying error appeared when I enabled logrotate on one of my apps running on CentOS 7 Linux systems. By default on CentOS/RHEL 7, the parent permissions on your log directories play a vital role in whether or not logrotate will be able/willing to process your logs.

If your permissions allow writes by a group that isn’t root, you may see the following error when logrotate tries to run:

# /usr/sbin/logrotate /etc/logrotate.conf
error: skipping "/home/mimastech.com/log/cron.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/home/mimastech.com/log/development.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

Here’s my logrotate configuration file that caused this error:

# cat /etc/logrotate.d/mimastech.com

# Log Rotation for mimastech Applications 
/home/mimastech.com/log/*.log {
 weekly
 missingok
 rotate 8 
 compress
 dateext
 delaycompress
 notifempty
 copytruncate
}

To resolve this problem, and have logrotate work properly again, you also have to add the su $user $group configuration. This causes logrotate to actually su - to that user and execute all logrotate actions as that user.

# cat /etc/logrotate.d/mimastech.com

# Log Rotation for mimastech Applications 
/home/mimastech.com/log/*.log {
 weekly
 missingok
 rotate 8 
 compress
 dateext
 delaycompress
 notifempty
 copytruncate
 su mimastech mimastech
}

By adding a su mimastech mimastech in the example above, the same as the create config, logrotate can process the logs again with parent directories that have group permissions that allow groups other than root to write to those directories.

Now, re-run the logrotate command to test your new configuration, it shows no output, and we checked the exit status of the command also as follow:

# /usr/sbin/logrotate /etc/logrotate.conf
# echo $?
0
I hope this article is good enough for you.
See you in other articles.

If You Appreciate What We Do Here On Mimastech, You Should Consider:

  1. Stay Connected to: Facebook | Twitter | Google+
  2. Support us via PayPal Donation
  3. Subscribe to our email newsletters.
  4. Tell other sysadmins / friends about Us - Share and Like our posts and services

We are thankful for your never ending support.

Leave a Reply

Your email address will not be published. Required fields are marked *