logrotate 的权限问题
Problems with permissions for logrotate
我正在为某些 Web 应用程序编写自己的 logrotate 配置:
/home/me/public_html/logs/*.log {
daily
missingok
rotate 15
compress
delaycompress
notifempty
create 0660 me www-data
nosharedscripts
}
但是 运行 这些文件的 logrotate 导致:
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because of bad file mode.
Ignoring logfile2.log because of bad file mode.
Ignoring otherlogfile.log because of bad file mode.
Handling 0 logs
$ ls -l
-rw-rw---- 1 me www-data 893584 Jan 27 16:01 logfile1.log
-rw-rw---- 1 me www-data 395011 Jan 27 16:01 logfile2.log
-rw-rw---- 1 me www-data 4949115 Jan 27 16:01 otherlogfile.log
这与create 0660 me www-data指定的权限目录中的实际日志文件的文件权限有关吗?
如果我将文件权限更改为 -rw-r----- 并将 create 行更改为
create 0640 me www-data
我明白了
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because the file owner is wrong (should be root).
Ignoring logfile2.log because the file owner is wrong (should be root).
Ignoring otherlogfile.log because the file owner is wrong (should be root).
Handling 0 logs
我的系统是 debian testing/jessie。
好吧,愚蠢的情况。必须在配置文件而不是日志文件上执行 logrotate 命令。
$ sudo logrotate -d -v /etc/logrotate.d/my-app
日志文件的父目录不是全局可写的 (------rw-) 并且任何非 root 组 (---rw----) 都不可写,这似乎很重要。否则,您将看到:
error: skipping "/home/me/public_html/logs/logfile1.log" because parent
directory has insecure permissions (It's world writable or writable by
group which is not "root") Set "su" directive in config file to tell
logrotate which user/group should be used for rotation.
我正在为某些 Web 应用程序编写自己的 logrotate 配置:
/home/me/public_html/logs/*.log {
daily
missingok
rotate 15
compress
delaycompress
notifempty
create 0660 me www-data
nosharedscripts
}
但是 运行 这些文件的 logrotate 导致:
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because of bad file mode.
Ignoring logfile2.log because of bad file mode.
Ignoring otherlogfile.log because of bad file mode.
Handling 0 logs
$ ls -l
-rw-rw---- 1 me www-data 893584 Jan 27 16:01 logfile1.log
-rw-rw---- 1 me www-data 395011 Jan 27 16:01 logfile2.log
-rw-rw---- 1 me www-data 4949115 Jan 27 16:01 otherlogfile.log
这与create 0660 me www-data指定的权限目录中的实际日志文件的文件权限有关吗?
如果我将文件权限更改为 -rw-r----- 并将 create 行更改为
create 0640 me www-data
我明白了
$ sudo logrotate -d -v *.log
Ignoring logfile1.log because the file owner is wrong (should be root).
Ignoring logfile2.log because the file owner is wrong (should be root).
Ignoring otherlogfile.log because the file owner is wrong (should be root).
Handling 0 logs
我的系统是 debian testing/jessie。
好吧,愚蠢的情况。必须在配置文件而不是日志文件上执行 logrotate 命令。
$ sudo logrotate -d -v /etc/logrotate.d/my-app
日志文件的父目录不是全局可写的 (------rw-) 并且任何非 root 组 (---rw----) 都不可写,这似乎很重要。否则,您将看到:
error: skipping "/home/me/public_html/logs/logfile1.log" because parent
directory has insecure permissions (It's world writable or writable by
group which is not "root") Set "su" directive in config file to tell
logrotate which user/group should be used for rotation.