Univention Bugzilla – Bug 50545
logrotate does not cover radius_ntlm_auth.log
Last modified: 2020-03-18 12:27:43 CET
The logfile radius_ntlm_auth.log is not rotated by logrotate. In larger environments / school customer environments this file grows rather quickly. Expected behaviour: The logfile is automatically rotated.
*** Bug 48799 has been marked as a duplicate of this bug. ***
Local tests were successful. Please review my change! version build: 6.0.2-18A~4.4.0.202002171137 touched files: services/univention-radius/conffiles/etc/logrotate.d/univention-radius services/univention-radius/debian/changelog services/univention-radius/debian/univention-radius.univention-config-registry doc/errata/staging/univention-radius.yaml
OK: code change OK: installation OK: update ~OK: changelog entry OK: advisory REOPEN: functional change OK: package built and installable Short test with univention-radius 6.0.2-19A~4.4.0.202002241643: root@master142:/etc/logrotate.d# ucr set logrotate/radius_ntlm_auth/rotate/count=123 [...] root@master142:/etc/logrotate.d# diff -u univention-radius univention-portal --- univention-radius 2020-01-10 18:54:57.880000000 +0100 +++ univention-portal 2020-01-10 18:54:58.504000000 +0100 @@ -5,12 +5,12 @@ # univention-config-registry ueberschrieben werden. # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # -# /etc/univention/templates/files/etc/logrotate.d/univention-radius +# /etc/univention/templates/files/etc/logrotate.d/univention-portal # -/var/log/univention/radius_ntlm_auth.log { +/var/log/univention/portal.log { weekly - rotate 123 + rotate 12 create 640 root adm compress missingok CREATE LOG ENTRY: root@master142:~# cat > eapol.conf <<EOF network={ key_mgmt=WPA-EAP eap=PEAP identity="d.krause1" anonymous_identity="anonymous" password="univention" phase2="autheap=MSCHAPV2" } EOF root@master142:~# eapol_test -c eapol.conf -s testing123 root@master142:~# BEFORE LOGROTATE: root@master142:/var/log/univention# ls -la radius_ntlm_auth* -rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log ROTATE LOGFILES: root@master142:# logrotate -vf /etc/logrotate.conf [...lots of output...] AFTER LOGROTATION: root@master142:/var/log/univention# ls -la radius_ntlm_auth* -rw-r----- 1 root adm 0 Jan 11 01:00 radius_ntlm_auth.log -rw-r--r-- 1 root freerad 291 Jan 11 00:59 radius_ntlm_auth.log.1 REOPEN: the permissions and the owner of the new logfile are not the same as before Sidenote: please also fix the mail address in the last debian/changelog entry.
The permissions of a new logfile after logrotation is globally defined by UCR Variable logrotate/create, whichs default value is "640 root adm". Currently, there is no "easy" way to change the permissions with which the new logfiles are created by logrotation per logfile. I created Bug #50971 for this issue, which also affects the files config-registry.replog und samba4-provision.log. Since the logfile is still only writeable by root with this default configuration and freeradius can still write its logs into it, I think this is okay for now.
665f7e3cbc Bug #50545: yaml update eaa831d0fb Bug #50545: Fix file permissions in new logrotate files Package: univention-radius Version: 6.0.2-21A~4.4.0.202003171637 Branch: ucs_4.4-0 Scope: errata4.4-3 I was simply wrong. The UCR Variable can be used like this logorotate/file/create=... as pointed out by Phillip in Bug #50971. The UCR Variable logrotate/radius_ntlm_auth/create is now set in the postinst.
BEFORE ("unclean" test env from last run!): root@master142:~# ls -la /var/log/univention/radius_ntlm_auth.* -rw-r----- 1 root adm 0 Jan 11 01:00 /var/log/univention/radius_ntlm_auth.log -rw-r--r-- 1 root freerad 291 Jan 11 00:59 /var/log/univention/radius_ntlm_auth.log.1 AFTER update and forced logrotation: root@master142:~# ls -la /var/log/univention/radius_ntlm_auth.* -rw-r--r-- 1 root freerad 0 Jan 11 02:09 /var/log/univention/radius_ntlm_auth.log -rw-r----- 1 root adm 291 Jan 11 02:09 /var/log/univention/radius_ntlm_auth.log.1 -rw-r--r-- 1 root freerad 195 Jan 11 00:59 /var/log/univention/radius_ntlm_auth.log.2.gz root@master142:~# ucr get logrotate/radius_ntlm_auth/create 644 root freerad OK: code change OK: installation OK: update OK: changelog entry UPDATED: advisory OK: package built and installable
<http://errata.software-univention.de/ucs/4.4/489.html>