Bug 50971

Summary: logrotate should create new logfiles with permissions of "old" logfile
Product: UCS Reporter: Julia Bremer <bremer>
Component: logrotateAssignee: UCS maintainers <ucs-maintainers>
Status: RESOLVED WORKSFORME QA Contact: UCS maintainers <ucs-maintainers>
Severity: normal    
Priority: P5 CC: hahn
Version: UCS 4.4   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=50545
What kind of report is it?: Development Internal What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Usability
Max CVSS v3 score:

Description Julia Bremer univentionstaff 2020-03-17 13:07:14 CET 
The permissions of files created by logrotations are controlled by the UCR Variable 
logrotate/create
which is evaluated by /base/univention-lib/python/ucrLogrotate.py.

This means that we are not able to set the permissions per logfile, we can only set the permissions for all logfiles to the same value. 

We noticed this when enabling logrotation for radius_ntlm_auth.log in Bug #50545. 
The logfile is created with the permissions 

-rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log

After logrotation the permissions are set like this:
-rw-r----- 1 root adm       0 Jan 11 01:00 radius_ntlm_auth.log
-rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log.1

since logrotate/create is set to "640 root adm" as default.

We should add the possibility to set the file permissions at logrotate creation per logfile.
Comment 1 Philipp Hahn univentionstaff 2020-03-17 15:24:02 CET 
WORKS-4-ME:
> logrotate/create: 640 root adm
>  Configures mode, owner and group of a log file after rotation, e.g. '640 root adm'.
also works for individual sections like the other 'logrotate/$SECTION/....' variables.

# ls -ld /var/log/syslog 
-rw-r----- 1 root adm 33068180 Mär 17 15:18 /var/log/syslog

# ucr set logrotate/syslog/create='644 root staff'

# grep -A4 /var/log/syslog /etc/logrotate.d/rsyslog
/var/log/syslog
{
        daily
        rotate 84
        create 644 root staff

# logrotate --force /etc/logrotate.conf
# ls -ld /var/log/syslog 
-rw-r--r-- 1 root staff 3513 Mär 17 15:20 /var/log/syslog