I found one more packaging issue that becomes visible once the log directory
permissions are corrected.

After changing `/var/log/jetty9` to the permissions required for rsyslog
(`0770 jetty:adm`), the package's current logrotate configuration no longer
works.

Running:

```
sudo logrotate -f /etc/logrotate.d/jetty9
```

fails with:

```
error: skipping "/var/log/jetty9/jetty-console.log" because parent directory
has insecure permissions (It's world writable or writable by group which is
not "root") Set "su" directive in config file to tell logrotate which
user/group should be used for rotation.
```

This is expected behaviour of logrotate. When the parent directory is
writable by a non-root group, logrotate refuses to operate unless an
explicit `su` directive is configured.

After adding:

```
su jetty adm
```

to the logrotate configuration, rotation succeeds normally.

Combined with the previously reported issue regarding:

```
create 640 jetty adm
```

(which should be `create 660 jetty adm` so that rsyslog can continue writing
after rotation), the package's logrotate configuration also requires the
appropriate `su` directive.

In other words, if the package is fixed by making `/var/log/jetty9` writable
by the `adm` group (which is necessary for rsyslog), the logrotate
configuration must be updated accordingly as well. Otherwise log rotation
will fail with the "parent directory has insecure permissions" error.

On Sat, 4 Jul 2026 20:32:44 +0300 <[email protected]> wrote: 
> I have found an additional packaging issue related to the permissions used

> for the Jetty log directory and log rotation. 
> 
> ### 1. `/var/log/jetty9` should be owned by `jetty:adm` with mode `0770` 
> 
> Even if the ownership problem caused by `LogsDirectory=` is addressed, the

> directory permissions themselves are still insufficient for the intended 
> logging design. 
> 
> `rsyslog` runs as: 
> 
> ``` 
> User: syslog 
> Group: syslog 
> Supplementary groups: adm 
> ``` 
> 
> Therefore it does not need to become the owner of `/var/log/jetty9`, but
it 
> **does** require write permission through the `adm` group in order to
create 
> new log files. 
> 
> With the current packaging, the directory eventually becomes owned by 
> `jetty:jetty` with mode `0750`, which completely prevents `rsyslog` from 
> creating `jetty-console.log`. 
> 
> Even if the ownership is corrected back to `jetty:adm`, mode `0750` still 
> leaves the group without write permission. 
> 
> For the logging configuration installed by the package to work correctly, 
> the directory needs to be writable by members of the `adm` group. In 
> practice this means ownership `jetty:adm` together with mode `0770`. 
> 
> ### 2. The logrotate configuration recreates the file with insufficient 
> permissions 
> 
> There is another independent issue in the package's logrotate
configuration. 
> 
> The installed configuration currently contains: 
> 
> ``` 
> create 640 jetty adm 
> ``` 
> 
> After every rotation, logrotate recreates `jetty-console.log` as: 
> 
> ``` 
> -rw-r----- 
> jetty:adm 
> ``` 
> 
> At this point `rsyslog` is no longer the file owner, and accesses the file

> through its supplementary `adm` group membership. 
> 
> However, mode `0640` grants the group only read permission, so `rsyslog`
can 
> no longer append new log messages after the file has been recreated. 
> 
> Changing the directory permissions alone is therefore not sufficient to
fix 
> the problem. 
> 
> The recreated log file also needs to remain writable by the `adm` group. 

Reply via email to