[IntelMQ-dev] Redis log file gets wrong owner & group(?)
Mika Silander
mika.silander at csc.fi
Mon Nov 15 08:41:38 CET 2021
Hi Sebastian,
Thanks for the confirmation of a bug and its fix. I had already configured auditd to narrow down this problem but now it's not needed anymore.
Br, Mika
----- Original Message -----
From: "Sebix" <sebix at sebix.at>
To: "Mika Silander" <mika.silander at csc.fi>, "intelmq-dev" <intelmq-dev at lists.cert.at>
Sent: Sunday, 14 November, 2021 21:34:55
Subject: Re: [IntelMQ-dev] Redis log file gets wrong owner & group(?)
Dear Mika,
On 11/10/21 12:14 PM, Mika Silander wrote:
> Hi all,
>
> Occasionally we see the /var/log/redis/redis-server.log file getting intelmq as its owner and group.
Everytime when logrotate kicks in?
> This makes redis output to the log file fail. Once the owner is reset to redis and group to adm (on Ubuntu 20.04 LTS) and running systemctl restart redis, redis works fine. I've tried to debug the reason for this change in ownership in logrotate confs, intelmqctl sources etc but so far no luck. Hints as to the reason or how to troubleshoot are again welcome.
I discovered, debugged and fixed this issue a few weeks ago when I was
still working at CERT.at:
https://github.com/certtools/intelmq/commit/5b3c68b571b04ae816f3e8314a2d97b78dae76aa
The problem is that the option `create 644 intelmq intelmq` in intelmq's
logrotate config does not only apply to the intelmq files, but to all
files managed by logrotate globally. Not only redis is affected, but
lots more. You can find all affected files with
sudo find /var/log/ -user intelmq ! -path \*intelmq\*
I hope that helps
Sebastian
More information about the IntelMQ-dev
mailing list