Message ID | 20180807131813.14878-1-mchandras@suse.de |
---|---|
State | Changes Requested |
Headers | show |
Series | [ovs-dev] rhel: Use openvswitch user in the logrotate configuration file | expand |
On Tue, 7 Aug 2018 16:18:13 +0300 Markos Chandras <mchandras@suse.de> wrote: > The /var/log/openvswitch directory is owned by the openvswitch user > but logrotate could be running as root or as another user. As a > result of which, rpmlint prints the following warning when building > the spec file on SUSE Linux Enterprise: > > openvswitch.x86_64: W: > suse-logrotate-user-writable-log-dir /var/log/openvswitch > openvswitch:openvswitch 0750 The log directory is writable by > unprivileged users. Please fix the permissions so only root can write > there or add the 'su' option to your logrotate config > > In order to fix that, we should run the logrotate script as the > openvswitch user which ensures that the correct user is processing > the Open vSwitch log files. > > Cc: Aaron Conole <aconole@redhat.com> > Cc: Timothy Redaelli <tredaelli@redhat.com> > Signed-off-by: Markos Chandras <mchandras@suse.de> Hi Markos, I agree with you that running logrotate as root is probably bad. The problem is that, for backward compatibility, we keep OVS as "root" user if you upgrade OVS from an old version (older than the non-root user support). This means that, with this patch and when you launch OVS as root (after an upgrade or by commenting the OVS_USER_ID in /etc/sysconfig/openvswitch), the logs are owned by root:root and so logrotate, as openvswitch:openvswitch, cannot work correctly. If it's only to avoid the warning, we could change the spec file in order to do "chown -R openvswitch:openvswitch /var/log/openvswitch", when it's an upgrade, in %post, instead of using %attr in the spec file. As alternative we may to do something more complex. For example by generating another file in /var/run/openvswitch that contains the "su" line (using OVS_USER_ID) and including it from /etc/logrotate.d/openvswitch (we already use a similar approach to set --ovs-user ONLY if OVS_USER_ID is not root, in /var/run/openvswitch/useropts). Probably there is a better way to do that, but I can't think of anything else. Thank you
Hi Timothy, On 08/07/2018 09:01 PM, Timothy Redaelli wrote: > > Hi Markos, > I agree with you that running logrotate as root is probably bad. > > The problem is that, for backward compatibility, we keep OVS as "root" > user if you upgrade OVS from an old version (older than the non-root > user support). Good point about the backwards compatibility. I will submit a v2
diff --git a/rhel/etc_logrotate.d_openvswitch b/rhel/etc_logrotate.d_openvswitch index ed7d733c9..eaf1fd5bf 100644 --- a/rhel/etc_logrotate.d_openvswitch +++ b/rhel/etc_logrotate.d_openvswitch @@ -6,6 +6,7 @@ # without warranty of any kind. /var/log/openvswitch/*.log { + su openvswitch openvswitch daily compress sharedscripts
The /var/log/openvswitch directory is owned by the openvswitch user but logrotate could be running as root or as another user. As a result of which, rpmlint prints the following warning when building the spec file on SUSE Linux Enterprise: openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir /var/log/openvswitch openvswitch:openvswitch 0750 The log directory is writable by unprivileged users. Please fix the permissions so only root can write there or add the 'su' option to your logrotate config In order to fix that, we should run the logrotate script as the openvswitch user which ensures that the correct user is processing the Open vSwitch log files. Cc: Aaron Conole <aconole@redhat.com> Cc: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Markos Chandras <mchandras@suse.de> --- rhel/etc_logrotate.d_openvswitch | 1 + 1 file changed, 1 insertion(+)