0

I'm getting errors from cron like this:

/etc/cron.daily/logrotate: error: skipping "/var/log/apache2/access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

The /var/log/apache2 dir is owned by root and has gid adm, which I believe is the way it should be. The /etc/logrotate.d/apache2 is the default for the distribution and this specifies create 640 root adm too.

So should I add su root adm to the logrotate file? And if I need to do this why is it not in the package maintained version?

Or is there something else awry?

EDIT as requested:

ls /var/log/apache2/ -ld
drwxrwx--- 6 root adm 24576 Nov 14 01:55 /var/log/apache2/
artfulrobot
  • 2,949
  • 13
  • 36
  • 60
  • Please show the permissions of the /var/log/apache2/ directory as well as /var/log/apache2/access.log. – aseq Oct 22 '13 at 19:30

1 Answers1

1

You should set /var/log/apache2/ as non-group-writeable. This would stop apache creating files in this dir, but this is OK if they already exist.

$ chmod g-w /var/log/apache2

(I'm still not sure that's right - what when a new virtual host is set up with new logfiles?)

artfulrobot
  • 2,949
  • 13
  • 36
  • 60