Skip to content

fix(syslog): add logrotate 'su root adm' directive#87

Merged
amstewart merged 1 commit intoni:masterfrom
texasaggie97:dev/texasaggie97/log-rotate
Mar 26, 2026
Merged

fix(syslog): add logrotate 'su root adm' directive#87
amstewart merged 1 commit intoni:masterfrom
texasaggie97:dev/texasaggie97/log-rotate

Conversation

@texasaggie97
Copy link
Copy Markdown
Collaborator

@texasaggie97 texasaggie97 commented Mar 26, 2026
edited by ni-github-admins
Loading

Summary of Changes

/var/log is owned root:adm (group-writable), which causes logrotate to skip all log files in that directory with:

error: skipping "/var/log/..." because parent directory has insecure
permissions (It's world writable or writable by group which is not
"root") Set "su" directive in config file to tell logrotate which
user/group should be used for rotation.

Fix by inserting 'su root adm' into /etc/logrotate.conf before the include /etc/logrotate.d line, and into /etc/logrotate-dmesg.conf before the /var/log/dmesg stanza, during syslog configure. This tells logrotate to run as root:adm, which has the necessary permissions to safely rotate files under /var/log.

Also add verify checks that the directive is present in both files.

Justification

AB#3698573

Testing

Verified that there is no message at boot and that logrotate --force has no errors

Procedure

  • This PR: changes user-visible behavior, fixes a bug, or impacts the project's security profile; and so it includes a CHANGELOG note.
  • I certify that the contents of this pull request complies with the Developer Certificate of Origin.

@texasaggie97
fix(syslog): add logrotate 'su root adm' directive
f058852 
/var/log is owned root:adm (group-writable), which causes logrotate to
skip all log files in that directory with:

  error: skipping "/var/log/..." because parent directory has insecure
  permissions (It's world writable or writable by group which is not
  "root") Set "su" directive in config file to tell logrotate which
  user/group should be used for rotation.

Fix by inserting 'su root adm' into /etc/logrotate.conf before the
include /etc/logrotate.d line, and into /etc/logrotate-dmesg.conf
before the /var/log/dmesg stanza, during syslog configure. This tells
logrotate to run as root:adm, which has the necessary permissions to
safely rotate files under /var/log.

Also add verify checks that the directive is present in both files.

Signed-off-by: Mark Silva <mark.silva@emerson.com>
@texasaggie97 texasaggie97 requested review from a team, AlexHearnNI and amstewart as code owners March 26, 2026 15:18
@amstewart amstewart merged commit 3d1aa8a into ni:master Mar 26, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amstewart amstewart amstewart approved these changes

@AlexHearnNI AlexHearnNI Awaiting requested review from AlexHearnNI AlexHearnNI is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@texasaggie97 @amstewart