Re: [ovs-dev] [PATCH] rhel: Use openvswitch user in the logrotate configuration file
Hi Timothy, On 08/07/2018 09:01 PM, Timothy Redaelli wrote: > > Hi Markos, > I agree with you that running logrotate as root is probably bad. > > The problem is that, for backward compatibility, we keep OVS as "root" > user if you upgrade OVS from an old version (older than the non-root > user support). Good point about the backwards compatibility. I will submit a v2 -- markos SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] rhel: Use openvswitch user in the logrotate configuration file
On Tue, 7 Aug 2018 16:18:13 +0300 Markos Chandras wrote: > The /var/log/openvswitch directory is owned by the openvswitch user > but logrotate could be running as root or as another user. As a > result of which, rpmlint prints the following warning when building > the spec file on SUSE Linux Enterprise: > > openvswitch.x86_64: W: > suse-logrotate-user-writable-log-dir /var/log/openvswitch > openvswitch:openvswitch 0750 The log directory is writable by > unprivileged users. Please fix the permissions so only root can write > there or add the 'su' option to your logrotate config > > In order to fix that, we should run the logrotate script as the > openvswitch user which ensures that the correct user is processing > the Open vSwitch log files. > > Cc: Aaron Conole > Cc: Timothy Redaelli > Signed-off-by: Markos Chandras Hi Markos, I agree with you that running logrotate as root is probably bad. The problem is that, for backward compatibility, we keep OVS as "root" user if you upgrade OVS from an old version (older than the non-root user support). This means that, with this patch and when you launch OVS as root (after an upgrade or by commenting the OVS_USER_ID in /etc/sysconfig/openvswitch), the logs are owned by root:root and so logrotate, as openvswitch:openvswitch, cannot work correctly. If it's only to avoid the warning, we could change the spec file in order to do "chown -R openvswitch:openvswitch /var/log/openvswitch", when it's an upgrade, in %post, instead of using %attr in the spec file. As alternative we may to do something more complex. For example by generating another file in /var/run/openvswitch that contains the "su" line (using OVS_USER_ID) and including it from /etc/logrotate.d/openvswitch (we already use a similar approach to set --ovs-user ONLY if OVS_USER_ID is not root, in /var/run/openvswitch/useropts). Probably there is a better way to do that, but I can't think of anything else. Thank you ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] rhel: Use openvswitch user in the logrotate configuration file
The /var/log/openvswitch directory is owned by the openvswitch user but
logrotate could be running as root or as another user. As a result of
which, rpmlint prints the following warning when building the spec file
on SUSE Linux Enterprise:
openvswitch.x86_64: W: suse-logrotate-user-writable-log-dir
/var/log/openvswitch openvswitch:openvswitch 0750
The log directory is writable by unprivileged users. Please fix the
permissions so only root can write there or add the 'su' option
to your logrotate config
In order to fix that, we should run the logrotate script as the
openvswitch user which ensures that the correct user is processing
the Open vSwitch log files.
Cc: Aaron Conole
Cc: Timothy Redaelli
Signed-off-by: Markos Chandras
---
rhel/etc_logrotate.d_openvswitch | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel/etc_logrotate.d_openvswitch b/rhel/etc_logrotate.d_openvswitch
index ed7d733c9..eaf1fd5bf 100644
--- a/rhel/etc_logrotate.d_openvswitch
+++ b/rhel/etc_logrotate.d_openvswitch
@@ -6,6 +6,7 @@
# without warranty of any kind.
/var/log/openvswitch/*.log {
+su openvswitch openvswitch
daily
compress
sharedscripts
--
2.16.4
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
