Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Evren Yurtesen]

Hi Markus,


Please ignore my previous message about logrotate. It was my mistake that it 
did not work.


Would it be an acceptable solution if the fileOwner setting is removed from 
/etc/rsyslog.d/tomcat9.conf and su setting is removed from 
/etc/logrotate.d/tomcat9 file which are shipped with tomcat9 package?


This is the way rsyslog/logrotate configuration is done for some other packages 
that I checked.


Thanks,

Evren


From: Evren Yurtesen
Sent: Wednesday, April 20, 2022 12:18:57 PM
To: Markus Koschany; Utkarsh Gupta
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out


Nevermind my previous idea. It does not work as the /var/log/tomcat9 is group 
writable by `adm` group. Causes the following problem: :(


# logrotate -f /etc/logrotate.d/tomcat9
error: skipping "/var/log/tomcat9/catalina.out" because parent directory has 
insecure permissions (It's world writable or writable by group which is not 
"root") Set "su" directive in config file to tell logrotate which user/group 
should be used for rotation.



From: Evren Yurtesen
Sent: Thursday, April 14, 2022 10:39:58 PM
To: Markus Koschany; Utkarsh Gupta
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out


Hi Markus,


You are quite right. The root cause of the issue is Ubuntu dropping privileges 
of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu 
package.


https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not 
explain the benefits very clearly, but my assumption is an attempt at improving 
security).


As you put it adequately. There are other Debian packages also use rsyslogd. 
This change in Ubuntu's rsyslog configuration should be effecting those also. I 
had a quick look using apt-file for packages which put configurations to 
/etc/rsyslog.d. The ones I checked does not seem to specify a certain 
user/group in rsyslog config.  This cause files to be owned as root:adm and 640 
permission in Debian which is the default according to `/etc/rsyslog.conf` and 
in Ubuntu they would be owned by Ubuntu's default settings automatically as 
well.


Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply 
removed from rsyslog config of tomcat9? In addition,  'create 640 tomcat adm' 
and ' su tomcat adm' settings could be removed from logrotate config of tomcat9?


One advantage for Debian is that `tomcat` itself can't read the log files 
anymore. This could be considered more secure. But not that it would help much, 
as tomcat9 package triple-logs everything. First through syslog to 
catalina.out, then directly to catalina.-MM-DD.log in a different format. 
Of course nowadays a third time through journald. :)


Thanks,
Evren


From: Markus Koschany 
Sent: Thursday, April 14, 2022 5:31:49 PM
To: Utkarsh Gupta; Evren Yurtesen
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out

Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta:
> Hi Emmanuel,
>
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).

Hi Utkarsh,

I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run

logrotate -f /etc/logrotate.d/tomcat9

The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.

Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.

Regards,

Markus


__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Thorsten Glaser]

On Fri, 29 Apr 2022, Evren Yurtesen wrote:

> >  What is the problem with logrotate? It happily rotates files owned
> >  by anyone in Debian.
> 
> Because in Ubuntu rsyslog drops privileges to `syslog` user.
> Therefore, the log files generated by rsyslog are owned by the
> `syslog` user. But tomcat9 logrotate configuration forces logrotate to
> become `tomcat` user, during rotation. Rsyslog fails to truncate the
> catalina.out file which has read/write permissions only for `syslog`
> user.

The logfiles from tomcat aren’t normally generated by rsyslog though,
they’re directly written by Java or via shell redirections.

Anyway, this is chiefly a *buntu issue and the proposed fix would
worsen the situation in Debian, so please try to get this solved
on the *buntu side.

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg


/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against  Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Timo Aaltonen]

Evren Yurtesen kirjoitti 29.4.2022 klo 8.42:

One solution would be undoing 
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 at Ubuntu. But I 
do not know how to reach to correct people at Ubuntu side. I also do not think 
I could convince them that this is creating problems.


try ubuntu-ser...@lists.ubuntu.com, or -devel-discuss


--
t

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Evren Yurtesen]

Hi,

I am not sure if anybody received my previous e-mails as I do not see them in 
the mailing list thread. :(

>  What is the problem with logrotate? It happily rotates files owned by anyone 
> in Debian.

Because in Ubuntu rsyslog drops privileges to `syslog` user. Therefore, the log 
files generated by rsyslog are owned by the `syslog` user. But tomcat9 
logrotate configuration forces logrotate to become `tomcat` user, during 
rotation. Rsyslog fails to truncate the catalina.out file which has read/write 
permissions only for `syslog` user.

One solution would be undoing 
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 at Ubuntu. But I 
do not know how to reach to correct people at Ubuntu side. I also do not think 
I could convince them that this is creating problems.

It is really sad to see that a simple problem related to a single file's 
permissions can take so long to resolve. Any help you can provide is welcome. 

Thanks,
Evren
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Evren Yurtesen]

Nevermind my previous idea. It does not work as the /var/log/tomcat9 is group 
writable by `adm` group. Causes the following problem: :(


# logrotate -f /etc/logrotate.d/tomcat9
error: skipping "/var/log/tomcat9/catalina.out" because parent directory has 
insecure permissions (It's world writable or writable by group which is not 
"root") Set "su" directive in config file to tell logrotate which user/group 
should be used for rotation.



From: Evren Yurtesen
Sent: Thursday, April 14, 2022 10:39:58 PM
To: Markus Koschany; Utkarsh Gupta
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out


Hi Markus,


You are quite right. The root cause of the issue is Ubuntu dropping privileges 
of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu 
package.


https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not 
explain the benefits very clearly, but my assumption is an attempt at improving 
security).


As you put it adequately. There are other Debian packages also use rsyslogd. 
This change in Ubuntu's rsyslog configuration should be effecting those also. I 
had a quick look using apt-file for packages which put configurations to 
/etc/rsyslog.d. The ones I checked does not seem to specify a certain 
user/group in rsyslog config.  This cause files to be owned as root:adm and 640 
permission in Debian which is the default according to `/etc/rsyslog.conf` and 
in Ubuntu they would be owned by Ubuntu's default settings automatically as 
well.


Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply 
removed from rsyslog config of tomcat9? In addition,  'create 640 tomcat adm' 
and ' su tomcat adm' settings could be removed from logrotate config of tomcat9?


One advantage for Debian is that `tomcat` itself can't read the log files 
anymore. This could be considered more secure. But not that it would help much, 
as tomcat9 package triple-logs everything. First through syslog to 
catalina.out, then directly to catalina.-MM-DD.log in a different format. 
Of course nowadays a third time through journald. :)


Thanks,
Evren


From: Markus Koschany 
Sent: Thursday, April 14, 2022 5:31:49 PM
To: Utkarsh Gupta; Evren Yurtesen
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out

Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta:
> Hi Emmanuel,
>
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).

Hi Utkarsh,

I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run

logrotate -f /etc/logrotate.d/tomcat9

The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.

Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.

Regards,

Markus


__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Evren Yurtesen]

Hi Markus,


You are quite right. The root cause of the issue is Ubuntu dropping privileges 
of rsyslogd to `syslog` user. This change was done way back in ~2009 in Ubuntu 
package.


https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388608 (which does not 
explain the benefits very clearly, but my assumption is an attempt at improving 
security).


As you put it adequately. There are other Debian packages also use rsyslogd. 
This change in Ubuntu's rsyslog configuration should be effecting those also. I 
had a quick look using apt-file for packages which put configurations to 
/etc/rsyslog.d. The ones I checked does not seem to specify a certain 
user/group in rsyslog config.  This cause files to be owned as root:adm and 640 
permission in Debian which is the default according to `/etc/rsyslog.conf` and 
in Ubuntu they would be owned by Ubuntu's default settings automatically as 
well.


Could it be more acceptable if the 'fileOwner="tomcat"' setting was simply 
removed from rsyslog config of tomcat9? In addition,  'create 640 tomcat adm' 
and ' su tomcat adm' settings could be removed from logrotate config of tomcat9?


One advantage for Debian is that `tomcat` itself can't read the log files 
anymore. This could be considered more secure. But not that it would help much, 
as tomcat9 package triple-logs everything. First through syslog to 
catalina.out, then directly to catalina.-MM-DD.log in a different format. 
Of course nowadays a third time through journald. :)


Thanks,
Evren


From: Markus Koschany 
Sent: Thursday, April 14, 2022 5:31:49 PM
To: Utkarsh Gupta; Evren Yurtesen
Cc: 1008...@bugs.debian.org
Subject: Re: bug #1008668: tomcat9: logrotated is not able to truncate 
catalina.out

Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta:
> Hi Emmanuel,
>
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).

Hi Utkarsh,

I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run

logrotate -f /etc/logrotate.d/tomcat9

The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.

Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.

Regards,

Markus


__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Thorsten Glaser]

On Thu, 14 Apr 2022, Utkarsh Gupta wrote:

> The submitter has provided a debdiff, too:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1008668;filename=tomcat9_9.0.58-1ubuntu1.debdiff;msg=5.

This will break other syslog implementations, though.

What is the problem with logrotate? It happily rotates files
owned by anyone in Debian.

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg


/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against  Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also, https://www.tarent.de/newsletter
╱ ╲ header encryption!


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1008668: bug #1008668: tomcat9: logrotated is not able to truncate catalina.out

[Markus Koschany]

Am Donnerstag, dem 14.04.2022 um 16:23 +0530 schrieb Utkarsh Gupta:
> Hi Emmanuel,
> 
> We have bug #1008668 that's causing problems on the Ubuntu side and is
> also reproducible via the Debian package (essentially, it's the same
> in both places).

Hi Utkarsh,

I have been trying to reproduce this problem but on an up-to-date Debian system
running tomcat9 version 9.0.58-1 I cannot reproduce it. catalina.out is
truncated when I run 

logrotate -f /etc/logrotate.d/tomcat9

The logrotate file changes the permissions to "su tomcat adm" which is
sufficient to operate on tomcat9 log files. I'm not familiar with the Ubuntu
differences when it comes to logrotate and rsyslogd but I suppose that is the
underlying issue here. It would be strange if we had to change the permissions
to syslog adm because other Debian packages also own log files with their
specific users and then does not cause any problems too.

Thus said I am not against fixing this for Ubuntu but the current approach
seems wrong to me.

Regards,

Markus




signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.