Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snapcraft: ensure logrotate.conf isn't group writable #266

Merged
merged 1 commit into from
Jan 10, 2024
Merged

snapcraft: ensure logrotate.conf isn't group writable #266

merged 1 commit into from
Jan 10, 2024

Conversation

simondeziel
Copy link
Member

Upon startup, LXD might complain during the ==> Rotating logs part:

$ journalctl --no-hostname -b0 -u snap.lxd.daemon --grep logrotate
Jan 09 11:30:33 lxd.daemon[642189]: Potentially dangerous mode on /snap/lxd/x1/etc/logrotate.conf: 0664
Jan 09 11:30:33 lxd.daemon[642189]: error: Ignoring /snap/lxd/x1/etc/logrotate.conf because it is writable by group or others.

For some reasons (unknown to me), this only affected snaps I build locally, not those from the snapstore. Here's a debug build with ls -l surrounding the chmod g-w call:

2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.592 :: + broken_symlinks=
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.592 :: + '[' -n '' ']'
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.593 :: + ls -l /root/prime/etc/logrotate.conf
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.600 :: -rw-rw-r-- 4 root root 145 Sep 22 21:11 /root/prime/etc/logrotate.conf
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.600 :: + chmod g-w /root/prime/etc/logrotate.conf
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.601 :: + ls -l /root/prime/etc/logrotate.conf
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.602 :: -rw-r--r-- 4 root root 145 Sep 22 21:11 /root/prime/etc/logrotate.conf
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.603 :: + exit 0
2024-01-09 16:07:33.880 :: 2024-01-09 16:07:03.729 patch_elf: not enabled for part 'strip'

@simondeziel
snapcraft: ensure logrotate.conf isn't group writable
e8e5759 
Without this, a `snap install --dangerous` LXD snap will report this scary warning when LXD starts:

```
$ journalctl --no-hostname -b0 -u snap.lxd.daemon --grep logrotate
Jan 09 11:30:33 lxd.daemon[642189]: Potentially dangerous mode on /snap/lxd/x1/etc/logrotate.conf: 0664
Jan 09 11:30:33 lxd.daemon[642189]: error: Ignoring /snap/lxd/x1/etc/logrotate.conf because it is writable by group or others.
```

Signed-off-by: Simon Deziel <[email protected]>
@tomponline
Copy link
Member

Thanks @simondeziel

My question would be, why is logrotate.conf even in the snap package? Is it even used by the system logrotate service, or does snap use it for its own log rotation?

@simondeziel
Copy link
Member Author

The daemon.start script (https://github.com/canonical/lxd-pkg-snap/blob/latest-edge/snapcraft/commands/daemon.start#L340-L342) calls logrotate:

# Rotate logs
echo "==> Rotating logs"
logrotate -f "${SNAP}/etc/logrotate.conf" -s "/etc/logrotate.status" || true

And the logrotate.conf file itself (https://github.com/canonical/lxd-pkg-snap/blob/latest-edge/snapcraft/etc/logrotate.conf) manages the rotation of /var/snap/lxd/common/lxd/logs/lxd.log.

As for the difference between a local build and one from the builders, I think it boils down to the umask used during the git clone as my local copy has the same perms (0664) on logrotate.conf as what ended up in the snap.

@tomponline
Copy link
Member

Very good, thanks

@tomponline tomponline merged commit c7a1ae3 into canonical:latest-edge Jan 10, 2024
3 checks passed
@simondeziel simondeziel deleted the logrotate-conf-perms branch January 10, 2024 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simondeziel @tomponline