Mailing List Archive: Qmail: users

Log rotation ownership change

Index | Next | Previous | View Threaded

johnelliot67 at hotmail

Oct 5, 2010, 3:27 PM

Post #1 of 7 (1601 views)
Permalink

Log rotation ownership change

Hi,

One of our qmail boxes lost power recently, and ever since then when smtpd logs are rotated the ownership is changed to root:adm and a "previous" file is also created

-rw-r----- 1 root adm 9.6M Oct 6 06:27 current.0

-rw-r----- 1 root adm 0 Oct 6 06:26 previous

smtpd stops, and we see the following error:

root 1602 0.0 0.0 1336 212 ? S Sep06 0:00 readproctitle service errors: ...?multilog: warning: unable to set mode of /var/log/qmail/smtpd/previous, pausing: permission denied?multilog: warning: unable to set mode of /var/log/qmail/smtpd/previous, pausing: permission denied?multilog: warning: unable to set mode of /var/log/qmail/smtpd/previous, pausing: permission denied?multilog: warning: unable to set mode of /var/log/qmail/smtpd/previous, pausing: permission denied?

chowning the files back to qmaill:nofiles fixes the issue.

smtpd log run file:

/var/log/qmail/smtpd# cat /service/qmail-smtpd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n20 /var/log/qmail/smtpd

I've tried changing the size parameter to different values to see if it was some other process changing the ownership, but each time the log hits the conf'd size, the root:adm issue happens.

Any suggestions are greatly appreciated.

amb-sendok-1288920924.dfcoeapdngiakflgpjjc at bradfo

Oct 5, 2010, 6:35 PM

Post #2 of 7 (1538 views)
Permalink

Re: Log rotation ownership change [In reply to]

Thus said John Elliot on Wed, 06 Oct 2010 08:57:30 +1030:

> -rw-r----- 1 root adm 9.6M Oct 6 06:27 current.0
>
> -rw-r----- 1 root adm 0 Oct 6 06:26 previous

> /var/log/qmail/smtpd# cat /service/qmail-smtpd/log/run
> #!/bin/sh
> exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n20 /var/log/qmail/smtpd

You are not looking at the right log/run script. ``previous'' is only
used by a multilog that is using a !processor which I do not see above.
Also, you have a file called ``current.0'' which is not part of stock
daemontools as far as I am aware; is this from a patch?

Andy

johnelliot67 at hotmail

Oct 5, 2010, 6:55 PM

Post #3 of 7 (1542 views)
Permalink

RE: Log rotation ownership change [In reply to]

>
> Thus said John Elliot on Wed, 06 Oct 2010 08:57:30 +1030:
>
> > -rw-r----- 1 root adm 9.6M Oct 6 06:27 current.0
> >
> > -rw-r----- 1 root adm 0 Oct 6 06:26 previous
>
> > /var/log/qmail/smtpd# cat /service/qmail-smtpd/log/run
> > #!/bin/sh
> > exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n20 /var/log/qmail/smtpd
>
> You are not looking at the right log/run script. ``previous'' is only
> used by a multilog that is using a !processor which I do not see above.
> Also, you have a file called ``current.0'' which is not part of stock
> daemontools as far as I am aware; is this from a patch?
>

Thanks for the response.

This was a Bill Shupp toaster install(Many years ago!) - qmail-smtpd is logging to current, but also "something" is creating current.1 etc:

-rwxr--r-- 1 qmaill nofiles 9.6M Oct 6 11:04 @400000004cabcb3635c3d11c.s
-rw-r--r-- 1 qmaill nofiles 3.2M Oct 6 11:47 current

-rw-r----- 1 qmaill nofiles 9.6M Oct 6 06:27 current.0
-rw-r----- 1 qmaill nofiles 1.7M Oct 5 08:09 current.1.gz
-rw-r----- 1 qmaill nofiles 1.6M Oct 4 11:18 current.2.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 3 13:47 current.3.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 2 16:36 current.4.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 1 07:59 current.5.gz
-rw-r----- 1 qmaill nofiles 2.9M Sep 30 16:47 current.6.gz

The only other multilog(Not qmail) appears to be clamd:

clamav 1617 0.0 0.0 1488 312 ? S Sep06 0:00 /usr/local/bin/multilog t /var/log/clamd
qmaill 1619 0.0 0.0 1488 272 ? S Sep06 0:00 multilog t s100000 n20 /var/log/qmail/pop3ds
qmaill 1620 0.0 0.0 1488 272 ? S Sep06 0:00 multilog t s100000 n20 /var/log/qmail/pop3d
qmaill 1621 0.0 0.0 1488 336 ? S Sep06 0:15 /usr/local/bin/multilog t s19999999 n20 /var/log/qmail
qmaill 25199 0.0 0.0 1488 336 ? S Sep30 0:35 /usr/local/bin/multilog t s10000000 n20 /var/log/qmail/smtpd

# cat /service/clamd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid clamav /usr/local/bin/multilog t /var/log/clamd

Perhaps clamd is the culprit?

sgifford at suspectclass

Oct 6, 2010, 8:37 PM

Post #4 of 7 (1539 views)
Permalink

Re: Log rotation ownership change [In reply to]

On Tue, Oct 5, 2010 at 9:55 PM, John Elliot <johnelliot67 [at] hotmail>wrote:
[ ... ]

> This was a Bill Shupp toaster install(Many years ago!) - qmail-smtpd is
> logging to current, but also "something" is creating current.1 etc:
>
> -rwxr--r-- 1 qmaill nofiles 9.6M Oct 6 11:04 @400000004cabcb3635c3d11c.s
> -rw-r--r-- 1 qmaill nofiles 3.2M Oct 6 11:47 current
>
>
> -rw-r----- 1 qmaill nofiles 9.6M Oct 6 06:27 current.0
> -rw-r----- 1 qmaill nofiles 1.7M Oct 5 08:09 current.1.gz
> -rw-r----- 1 qmaill nofiles 1.6M Oct 4 11:18 current.2.gz
> -rw-r----- 1 qmaill nofiles 1.7M Oct 3 13:47 current.3.gz
> -rw-r----- 1 qmaill nofiles 1.7M Oct 2 16:36 current.4.gz
> -rw-r----- 1 qmaill nofiles 1.7M Oct 1 07:59 current.5.gz
> -rw-r----- 1 qmaill nofiles 2.9M Sep 30 16:47 current.6.gz
>
>

That looks like you are using logrotate on your daemontools log directory.
Look in your /etc/logrotate.conf, /etc/logrotate.d, etc. (see the manpage
for logrotate(8) for details).

-----Scott.

johnelliot67 at hotmail

Oct 6, 2010, 8:59 PM

Post #5 of 7 (1560 views)
Permalink

RE: Log rotation ownership change [In reply to]

Thanks Scott,

On Tue, Oct 5, 2010 at 9:55 PM, John Elliot <johnelliot67 [at] hotmail> wrote:

[ ... ]

This was a Bill Shupp toaster install(Many years ago!) - qmail-smtpd is logging to current, but also "something" is creating current.1 etc:

-rwxr--r-- 1 qmaill nofiles 9.6M Oct 6 11:04 @400000004cabcb3635c3d11c.s
-rw-r--r-- 1 qmaill nofiles 3.2M Oct 6 11:47 current

-rw-r----- 1 qmaill nofiles 9.6M Oct 6 06:27 current.0
-rw-r----- 1 qmaill nofiles 1.7M Oct 5 08:09 current.1.gz
-rw-r----- 1 qmaill nofiles 1.6M Oct 4 11:18 current.2.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 3 13:47 current.3.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 2 16:36 current.4.gz
-rw-r----- 1 qmaill nofiles 1.7M Oct 1 07:59 current.5.gz
-rw-r----- 1 qmaill nofiles 2.9M Sep 30 16:47 current.6.gz

>That looks like you are using logrotate on your daemontools log directory. Look in your /etc/logrotate.conf, /etc/logrotate.d, etc. (see the manpage for logrotate(8) for details).

I had checked logrotate, and couldn't find anything in there that references /var/log/qmail/*

# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

Nothing in logrotate.d looks to be doing it either.

# ls -lah /etc/logrotate.d/*
-rw-r--r-- 1 root root 79 Sep 29 2004 /etc/logrotate.d/aptitude
-rw-r--r-- 1 root root 384 Nov 12 2004 /etc/logrotate.d/base-config
-rw-r--r-- 1 root root 170 Nov 8 2004 /etc/logrotate.d/exim4-base
-rw-r--r-- 1 root root 94 Jul 17 2004 /etc/logrotate.d/ppp
-rw-r--r-- 1 root root 301 Sep 18 2005 /etc/logrotate.d/squid

Still thinking clam has something to do with it - I might try disabling it.

dsr at tao

Oct 7, 2010, 7:24 AM

Post #6 of 7 (1534 views)
Permalink

Re: Log rotation ownership change [In reply to]

On Thu, Oct 07, 2010 at 02:29:38PM +1030, John Elliot wrote:
>
> >That looks like you are using logrotate on your daemontools log directory. Look in your /etc/logrotate.conf, /etc/logrotate.d, etc. (see the manpage for logrotate(8) for details).
>
> I had checked logrotate, and couldn't find anything in there that references /var/log/qmail/*
>
>
> # cat /etc/logrotate.conf
> # see "man logrotate" for details
> # rotate log files weekly
> weekly
> # keep 4 weeks worth of backlogs
> rotate 4
> # create new (empty) log files after rotating old ones
> create
> # uncomment this if you want your log files compressed
> #compress
> # packages drop log rotation information into this directory
> include /etc/logrotate.d

^ this line, as was mentioned, includes all of the files in
logrotate.d as configuration elements. Look there.

-dsr-

johnelliot67 at hotmail

Oct 7, 2010, 12:58 PM

Post #7 of 7 (1533 views)
Permalink

RE: Log rotation ownership change [In reply to]

> On Thu, Oct 07, 2010 at 02:29:38PM +1030, John Elliot wrote:
> >
> > >That looks like you are using logrotate on your daemontools log directory. Look in your /etc/logrotate.conf, /etc/logrotate.d, etc. (see the manpage for logrotate(8) for details).
> >
> > I had checked logrotate, and couldn't find anything in there that references /var/log/qmail/*
> >
> >
> > # cat /etc/logrotate.conf
> > # see "man logrotate" for details
> > # rotate log files weekly
> > weekly
> > # keep 4 weeks worth of backlogs
> > rotate 4
> > # create new (empty) log files after rotating old ones
> > create
> > # uncomment this if you want your log files compressed
> > #compress
> > # packages drop log rotation information into this directory
> > include /etc/logrotate.d
>
> ^ this line, as was mentioned, includes all of the files in
> logrotate.d as configuration elements. Look there.
>
> -dsr-

Cheers - but as per my last msg, I did check there:

On Tue, Oct 5, 2010 at 9:55 PM, John Elliot <johnelliot67 [at] hotmail> wrote:
[ ... ]

> Nothing in logrotate.d looks to be doing it either.
>
> # ls -lah /etc/logrotate.d/*
> -rw-r--r-- 1 root root 79 Sep 29 2004 /etc/logrotate.d/aptitude
> -rw-r--r-- 1 root root 384 Nov 12 2004 /etc/logrotate.d/base-config
> -rw-r--r-- 1 root root 170 Nov 8 2004 /etc/logrotate.d/exim4-base
> -rw-r--r-- 1 root root 94 Jul 17 2004 /etc/logrotate.d/ppp
> -rw-r--r-- 1 root root 301 Sep 18 2005 /etc/logrotate.d/squid
>
> Still thinking clam has something to do with it - I might try disabling it.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads