Bug 50545 - logrotate does not cover radius_ntlm_auth.log
logrotate does not cover radius_ntlm_auth.log
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-3-errata
Assigned To: Julia Bremer
Sönke Schwardt-Krummrich
:
: 48799 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-26 12:21 CET by Sönke Schwardt-Krummrich
Modified: 2020-03-18 12:27 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-11-26 12:21:22 CET
The logfile radius_ntlm_auth.log is not rotated by logrotate. In larger environments / school customer environments this file grows rather quickly.

Expected behaviour:
The logfile is automatically rotated.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2020-02-06 17:32:26 CET
*** Bug 48799 has been marked as a duplicate of this bug. ***
Comment 2 Max Pohle univentionstaff 2020-02-17 12:02:00 CET
Local tests were successful. Please review my change!

version build: 6.0.2-18A~4.4.0.202002171137

touched files:
services/univention-radius/conffiles/etc/logrotate.d/univention-radius
services/univention-radius/debian/changelog
services/univention-radius/debian/univention-radius.univention-config-registry
doc/errata/staging/univention-radius.yaml
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2020-03-16 21:01:55 CET
OK: code change
OK: installation
OK: update
~OK: changelog entry
OK: advisory
REOPEN: functional change
OK: package built and installable


Short test with univention-radius 6.0.2-19A~4.4.0.202002241643:

root@master142:/etc/logrotate.d# ucr set logrotate/radius_ntlm_auth/rotate/count=123
[...]
root@master142:/etc/logrotate.d# diff -u univention-radius univention-portal 
--- univention-radius   2020-01-10 18:54:57.880000000 +0100
+++ univention-portal   2020-01-10 18:54:58.504000000 +0100
@@ -5,12 +5,12 @@
 #          univention-config-registry ueberschrieben werden.
 #          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
 # 
-#      /etc/univention/templates/files/etc/logrotate.d/univention-radius
+#      /etc/univention/templates/files/etc/logrotate.d/univention-portal
 # 
 
-/var/log/univention/radius_ntlm_auth.log {
+/var/log/univention/portal.log {
        weekly
-       rotate 123
+       rotate 12
        create 640 root adm
        compress
        missingok


CREATE LOG ENTRY:
root@master142:~# cat > eapol.conf <<EOF
network={
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="d.krause1"
        anonymous_identity="anonymous"
        password="univention"
        phase2="autheap=MSCHAPV2"
}
EOF
root@master142:~# eapol_test -c eapol.conf -s testing123
root@master142:~#

BEFORE LOGROTATE:
root@master142:/var/log/univention# ls -la radius_ntlm_auth*
-rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log

ROTATE LOGFILES:
root@master142:# logrotate -vf /etc/logrotate.conf
[...lots of output...]

AFTER LOGROTATION:
root@master142:/var/log/univention# ls -la radius_ntlm_auth*
-rw-r----- 1 root adm       0 Jan 11 01:00 radius_ntlm_auth.log
-rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log.1

REOPEN: 
the permissions and the owner of the new logfile are not the same as before

Sidenote: please also fix the mail address in the last debian/changelog entry.
Comment 4 Julia Bremer univentionstaff 2020-03-17 13:21:00 CET
The permissions of a new logfile after logrotation is globally defined by 
UCR Variable logrotate/create,  
whichs default value is "640 root adm".
Currently, there is no "easy" way to change the permissions with which the new logfiles are created by logrotation per logfile.
I created Bug #50971 for this issue, which also affects the files config-registry.replog und samba4-provision.log.

Since the logfile is still only writeable by root with this default configuration and freeradius can still write its logs into it, I think this is okay for now.
Comment 5 Julia Bremer univentionstaff 2020-03-17 16:41:39 CET
665f7e3cbc Bug #50545: yaml update
eaa831d0fb Bug #50545: Fix file permissions in new logrotate files

Package: univention-radius
Version: 6.0.2-21A~4.4.0.202003171637
Branch: ucs_4.4-0
Scope: errata4.4-3


I was simply wrong. 
The UCR Variable can be used like this logorotate/file/create=...
as pointed out by Phillip in Bug #50971. 

The UCR Variable logrotate/radius_ntlm_auth/create is now set in the postinst.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2020-03-17 21:12:14 CET
BEFORE ("unclean" test env from last run!):
root@master142:~# ls -la /var/log/univention/radius_ntlm_auth.*
-rw-r----- 1 root adm       0 Jan 11 01:00 /var/log/univention/radius_ntlm_auth.log
-rw-r--r-- 1 root freerad 291 Jan 11 00:59 /var/log/univention/radius_ntlm_auth.log.1

AFTER update and forced logrotation:
root@master142:~# ls -la /var/log/univention/radius_ntlm_auth.*
-rw-r--r-- 1 root freerad   0 Jan 11 02:09 /var/log/univention/radius_ntlm_auth.log
-rw-r----- 1 root adm     291 Jan 11 02:09 /var/log/univention/radius_ntlm_auth.log.1
-rw-r--r-- 1 root freerad 195 Jan 11 00:59 /var/log/univention/radius_ntlm_auth.log.2.gz

root@master142:~# ucr get logrotate/radius_ntlm_auth/create
644 root freerad

OK: code change
OK: installation
OK: update
OK: changelog entry
UPDATED: advisory
OK: package built and installable
Comment 7 Erik Damrose univentionstaff 2020-03-18 12:27:43 CET
<http://errata.software-univention.de/ucs/4.4/489.html>