[Bug 273409] New: audit 1.2.6-22 update changes permissions on /var/log/audit/audit.log
https://bugzilla.novell.com/show_bug.cgi?id=273409 Summary: audit 1.2.6-22 update changes permissions on /var/log/audit/audit.log Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: tonyj@novell.com ReportedBy: sbeattie@novell.com QAContact: qa@suse.de CC: meissner@novell.com After the openSUSE 10.2 audit update for #259676, the audit logfile (/var/log/audit/audit.log) gets its permission mode set to 0440 from 0640 before the update. When the audit daemon restarts, it checks this and fails, emitting the following message to syslog: May 10 10:59:39 vmos102b2 auditd: /var/log/audit/audit.log permissions should be 0640 May 10 10:59:39 vmos102b2 auditd: The audit daemon is exiting. Thus auditd will not run after the update until the permission bits are reset on the logfile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=273409 ------- Comment #1 from tonyj@novell.com 2007-05-11 09:42 MST ------- I thought I was able to reproduce this, I distinctly recall seeing the file chmod'd only as a result of a SIGUSR1. Today on 3 different systems (1 x86_64, 2 i386/qemu) I'm totally unable to reproduce. I tried generating a large audit log before the upgrade, that didn't trip it either. I asked Marcus to try it too, seems to be working fine on his ppc-10.2 system. linux-vm1:/tmp/foo # ls -l /var/log/audit total 39296 -rw-r----- 1 root root 40190544 May 11 08:11 audit.log linux-vm1:/tmp/foo # du -hs /var/log/audit 39M /var/log/audit linux-vm1:/tmp/foo # rpm -qa | grep audit audit-libs-1.2.6-20 audit-1.2.6-20 linux-vm1:/tmp/foo # ps -ef | grep audit root 2147 6 0 05:53 ? 00:00:04 [kauditd] root 3325 1 3 07:52 ? 00:00:45 /sbin/auditd root 3399 3389 0 08:13 pts/0 00:00:00 grep audit linux-vm1:/tmp/foo # rpm -qp audit* audit-libs-1.2.6-22 audit-1.2.6-22 linux-vm1:/tmp/foo # rpm -Uhv audit* Preparing... 1:audit-libs 2:audit Updating etc/sysconfig/auditd... linux-vm1:/tmp/foo # ls -l /var/log/audit/audit.log* -rw-r----- 1 root root 334 May 11 08:13 /var/log/audit/audit.log -r--r----- 1 root root 40190680 May 11 08:13 /var/log/audit/audit.log.1 linux-vm1:/tmp/foo # vi /etc/sysconfig/auditd linux-vm1:/tmp/foo # /etc/init.d/auditd restart Shutting down auditd Starting auditd linux-vm1:/tmp/foo # ls -l /var/log/audit* -rw-r----- 1 root root 794 May 11 08:13 /var/log/audit/audit.log -r--r----- 1 root root 40190680 May 11 08:13 /var/log/audit/audit.log.1 linux-vm1:/tmp/foo # ps -ef | grep audit root 2147 6 0 05:53 ? 00:00:04 [kauditd] root 3456 1 0 08:13 ? 00:00:00 /sbin/auditd root 3463 3389 0 08:14 pts/0 00:00:00 grep audit linux-vm1:/tmp/foo # kill -SIGUSR1 3456 linux-vm1:/tmp/foo # ps -ef | grep audit root 2147 6 0 05:53 ? 00:00:04 [kauditd] root 3456 1 0 08:13 ? 00:00:00 /sbin/auditd root 3465 3389 0 08:14 pts/0 00:00:00 grep audit linux-vm1:/tmp/foo # ls -l /var/log/audit/* -rw-r----- 1 root root 102 May 11 08:14 /var/log/audit/audit.log -r--r----- 1 root root 794 May 11 08:13 /var/log/audit/audit.log.1 -r--r----- 1 root root 40190680 May 11 08:13 /var/log/audit/audit.log.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=273409 ------- Comment #2 from sbeattie@novell.com 2007-05-11 13:25 MST ------- Sorry, I think you must have misunderstood what I said in IRC. I am able to reproduce it ad infinitum if I send SIGUSR1 to 1.2.6-20 pre-update code. That code does the chmod to mode 0440 and then spins out of control. If it is restarted, the 1.2.6-20 will use the audit.log just fine. However, when the update to 1.2.6-22 occurs, the mode is still 0440, but the new code is more strict about the permissions and refuses to run. Natch: vmos102b2:/home/steve # rpm -q audit audit-libs audit-1.2.6-20 audit-libs-1.2.6-20 vmos102b2:/home/steve # ls -l /var/log/audit/ total 52581 -rw-r----- 1 root root 326 May 11 09:02 audit.log -r--r----- 1 root root 53630315 May 10 18:12 audit.log.1 vmos102b2:/home/steve # killall -USR1 auditd vmos102b2:/home/steve # ls -l /var/log/audit/ total 52581 -r--r----- 1 root root 326 May 11 09:02 audit.log -r--r----- 1 root root 53630315 May 10 18:12 audit.log.1 vmos102b2:/home/steve # /etc/init.d/auditd restart Shutting down auditd done Starting auditd done vmos102b2:/home/steve # ls -l /var/log/audit/ total 52581 -r--r----- 1 root root 653 May 11 09:03 audit.log -r--r----- 1 root root 53630315 May 10 18:12 audit.log.1 vmos102b2:/home/steve # rpm -Uvh audit-1.2.6-22.i586.rpm audit-libs-1.2.6-22.i586.rpm Preparing... ########################################### [100%] 1:audit-libs ########################################### [ 50%] 2:audit ########################################### [100%] Updating etc/sysconfig/auditd... startproc: exit status of parent of /sbin/auditd: 6 vmos102b2:/home/steve # /etc/init.d/auditd restart Shutting down auditd done Starting auditd startproc: exit status of parent of /sbin/auditd: 6 done vmos102b2:/home/steve # ls -l /var/log/audit/ total 52581 -r--r----- 1 root root 782 May 11 09:03 audit.log -r--r----- 1 root root 53630315 May 10 18:12 audit.log.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=273409 ------- Comment #3 from tonyj@novell.com 2007-05-14 03:45 MST ------- So you deliberately tried to send it a SIGUSR1 prior to doing the update? Why? Anyways, if this is it, I'm going to close as not a bug. Far newer version is in stable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=273409 ------- Comment #4 from sbeattie@novell.com 2007-05-14 11:57 MST -------
So you deliberately tried to send it a SIGUSR1 prior to doing the update? Why?
Because I was trying to reproduce the way my systems got into the situation. Why is that a hard concept to understand?
Anyways, if this is it, I'm going to close as not a bug.
Just so long as you realize that someone who trips over the original SIGUSR1 bug and then does an update to correct it will still have a non-functional audit daemon post-update, rendering the point of the update moot for them. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=273409 tonyj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #5 from tonyj@novell.com 2007-05-14 12:49 MST -------
rendering the point of the update moot for them
Sorry, not correct. Closing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com