Bug#1008668: tomcat9: logrotated is not able to truncate catalina.out. Please see LP: #1964881
Evren Yurtesen
Severity: normal
Tags: patch
User: ubuntu...@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Installed tomcat9 package
* What exactly did you do (or not do) that was effective (or
ineffective)?
logrotate -f /etc/logrotate.d/tomcat9
* What was the outcome of this action?
catalina.out was copied to catalina.out.1 but catalina.out was not truncated.
* What outcome did you expect instead?
after copying contents of catalina.out, it should have been truncated.
*** End of the template - remove these template lines ***
*** /tmp/tmprta9fb7b/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
The patch causes rsyslogd to write the file as syslog:adm and logrotated to rotate the file as syslog.
Without the patch, logrotated is not able to rotate file owned by syslog which is created by rsyslogd
* Fix logrotated not able to truncate cataline.out (LP: #1964881)
Thanks for considering the patch.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy
APT policy: (500, 'jammy')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-23-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Thorsten Glaser
> The submitter has provided a debdiff, too:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1008668;filename=tomcat9_9.0.58-1ubuntu1.debdiff;msg=5.
This will break other syslog implementations, though.
What is the problem with logrotate? It happily rotates files
owned by anyone in Debian.
bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen:
╳ HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!
****************************************************
Markus Koschany
> Hi Emmanuel,
>
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).
Hi Utkarsh,
I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run
logrotate -f /etc/logrotate.d/tomcat9
The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.
Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.
Regards,
Markus
Evren Yurtesen
Hi Markus,
You are quite right. The root cause of the issue is Ubuntu dropping privileges of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu package.
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not explain the benefits very clearly, but my assumption is an attempt
at improving security).
As you put it adequately. There are other Debian packages also use rsyslogd. This change in Ubuntu's rsyslog configuration should be effecting those also. I had a quick look using apt-file for packages which put configurations to
/etc/rsyslog.d. The ones I checked does not seem to specify a certain user/group in rsyslog config. This cause files to be owned as root:adm and 640 permission in Debian which is the default according to `/etc/rsyslog.conf` and in
Ubuntu they would be owned by Ubuntu's default settings automatically as well.
Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply removed from rsyslog config of tomcat9? In addition, 'create 640 tomcat adm' and ' su tomcat adm' settings could be removed from logrotate config of tomcat9?
One advantage for Debian is that `tomcat` itself can't read the log files anymore. This could be considered more secure. But not that it would help much, as tomcat9 package triple-logs everything. First through syslog to catalina.out, then directly to catalina.YYYY-MM-DD.log in a different format. Of course nowadays a third time through journald. :)
Thanks,
Evren
Sent: Thursday, April 14, 2022 5:31:49 PM
To: Utkarsh Gupta; Evren Yurtesen
Cc: 100...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out
Evren Yurtesen
Nevermind my previous idea. It does not work as the /var/log/tomcat9 is group writable by `adm` group. Causes the following problem: :(
error: skipping "/var/log/tomcat9/catalina.out" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
Sent: Thursday, April 14, 2022 10:39:58 PM
To: Markus Koschany; Utkarsh Gupta
Evren Yurtesen
I am not sure if anybody received my previous e-mails as I do not see them in the mailing list thread. :(
> What is the problem with logrotate? It happily rotates files owned by anyone in Debian.
One solution would be undoing https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 at Ubuntu. But I do not know how to reach to correct people at Ubuntu side. I also do not think I could convince them that this is creating problems.
It is really sad to see that a simple problem related to a single file's permissions can take so long to resolve. Any help you can provide is welcome.
Thanks,
Evren
Timo Aaltonen
> One solution would be undoing https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 at Ubuntu. But I do not know how to reach to correct people at Ubuntu side. I also do not think I could convince them that this is creating problems.
--
t
Thorsten Glaser
> > What is the problem with logrotate? It happily rotates files owned
> > by anyone in Debian.
>
> Because in Ubuntu rsyslog drops privileges to `syslog` user.
> Therefore, the log files generated by rsyslog are owned by the
> `syslog` user. But tomcat9 logrotate configuration forces logrotate to
> become `tomcat` user, during rotation. Rsyslog fails to truncate the
> catalina.out file which has read/write permissions only for `syslog`
> user.
they’re directly written by Java or via shell redirections.
Anyway, this is chiefly a *buntu issue and the proposed fix would
worsen the situation in Debian, so please try to get this solved
on the *buntu side.
Evren Yurtesen
Hi Markus,
Please ignore my previous message about logrotate. It was my mistake that it did not work.
Would it be an acceptable solution if the fileOwner setting is removed from /etc/rsyslog.d/tomcat9.conf and su setting is removed from /etc/logrotate.d/tomcat9 file which are shipped with tomcat9 package?
This is the way rsyslog/logrotate configuration is done for some other packages that I checked.
Thanks,
Evren
Sent: Wednesday, April 20, 2022 12:18:57 PM