TurnKey Linux Virtual Appliance Library

Are automatic security updates overwriting/changing permissions in the /var/log directory?

mgd's picture

I have a Turnkey LAPP appliance on which I installed Cacti. Cacti uses a poller technique and polling actions are written to /var/log/cacti/poller-error.log. Each weekend, something is changing the permissions on this file. The file should have permissions 775 (rwxrwxr-x) for cacti:www-data. Sometimes the permissions become root:root r--r--r--, sometimes www-data:www-data. Without the proper permissions for "Cacti", Cacti can't write to this log file and thus the graphs don't work. I can't see Cacti making this change and locking itself out, so I am tentatively pointing the finger at the Turnkey auto-security updates. My box is: Ubuntu 10.04.1 LTS \n \l. Is there anyway to determine what is making these changes...which again seem to only happen on the weekend?

Jeremy's picture

That sounds strange

I don't know of anything that would be changing permissions like that. But then I'm certainly no expert on these things.

You could hunt through the cron jobs and see what they do. Or alternatively, perhaps you could create a troubleshooting script that could regualrly run from cron checking the permissions on that file and listing running processes? Then you would at least be able to whitle down when it occurs and get some hints on what it might be.

Alternatively you could just create a cron job to reset the file permissions. Ideally it'd be better to find out what's causing it and why, but failing that a hack may at least be a workaround for now.

mgd's picture

Script

Thanks, Jeremy. I created the following script and placed it in the /etc/cron.hourly folder with the appropriate permissions. At least that will give my some protection will I continue to investigate. I will also modify the script to check permissions and then apply them only if they are incorrect.

#!/bin/sh
find /var/log/cacti -exec chown -R cacti:www-data {} \;
find /var/log/cacti -exec chmod -R 0775 {} \;

Jeremy's picture

Good work

Thanks for sharing. Good luck in your further investigations. Hopefully you can get to the bottom of it.

mgd's picture

script to check if permissions are set correctly

After much frothing around and testing, here is the final script. Note, I just check the permissions on poller-error.log because I found that  if the permissions are wrong on this file, they are wrong on all the files in /var/log/cacti. Also, the -R, recursive may be a little overkill since there are no sub-folders in this directory. Also, for those "scriptors" out there, pay attention to the spaces in the if statement...all are necessary. Also, I set the permissions in /var/log/cacti to be 775 for cacti user and www-data group. Also, for some reason, I had to specify the full path in my script for the executables such as "chmod".

#!/bin/bash
PATH=/var/log/cacti
FILE=/var/log/cacti/poller-error.log
PERM=`/usr/bin/stat -c "%a" $FILE`
if [[ "$PERM" -ne "775" ]];
then
 /bin/chown -R cacti:www-data $PATH
 /bin/chmod -R 775 $PATH
fi


Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)