[Bug 1687015] Re: 229_4ubuntu17 removes group write permissions from /var/log
Simon Davy
simon.davy at canonical.com
Tue May 2 16:16:43 UTC 2017
I'm an idiot. Of course strace doesn't trace forks by default.
I did a full strace -f (including custom build of strace to stop
truncating arguments) and found more info.
The culprit seems to be /bin/systemd-tmpfiles
During install of the package this is called like so:
/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/debian.conf
/usr/lib/tmpfiles.d/home.conf /usr/lib/tmpfiles.d/journal-nocow.conf
/usr/lib/tmpfiles.d/legacy.conf /usr/lib/tmpfiles.d/systemd-nologin.conf
/usr/lib/tmpfiles.d/systemd.conf /usr/lib/tmpfiles.d/tmp.conf
/usr/lib/tmpfiles.d/var.conf /usr/lib/tmpfiles.d/x11.conf
On a clean default xenial lxd image, in which /var/log is 775, running
the above, even without upgrading to 229_4ubuntu17, will change perms on
/var/log to 755.
Digging further, I see a conflict in tmpfiles.d config for /var/log in
the *current* xenial image.
$ cat /usr/lib/tmpfiles.d/00rsyslog.conf
# Override systemd's default tmpfiles.d/var.conf to make /var/log writable by
# the syslog group, so that rsyslog can run as user.
# See tmpfiles.d(5) for details.
The config it's overriding is in /usr/lib/tmpfiles.d/var.conf:
...
d /var/log 0755 - - -
...
It seems that, by providing an explicit list of tmpfiles.d to the /bin
/systemd-tmpfiles, the install process is excluding the careful placed
override in /usr/lib/tmpfiles.d/00rsyslog.conf
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1687015
Title:
229_4ubuntu17 removes group write permissions from /var/log
Status in systemd package in Ubuntu:
Incomplete
Bug description:
Steps to reproduce (time senstive, once lxd image is updated with
4ubuntu17, I expect this won't work)
lxc launch ubuntu:x test
lxc exec test -- ls -ld /var/log # shows 775 perms
lxc exec test -- apt update
lxc exec test -- apt-cache policy systemd
lxc exec test -- apt install systemd
lxc exec test -- ls -ld /var/log # shows 755 permissions
straceing the apt install shows no chmod calls to /var/log (only
/var/log/apt.log, as you'd expect)
This means syslog cannot write new files in /var/log, and had broken
some production logging for us as a result.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1687015/+subscriptions
More information about the foundations-bugs
mailing list