Forum GLPI-Project

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

GLPI logrotate changes owner of file.

Hello,

after enabling the lograte of glpi the owner of the php-errors.log is changing to root indeed staying as follwoing:

-rw-r--r-- 1 www-data www-data  5461454 Mär  7 16:20 php-errors.log

Because of this glpi cant write into the logfile which leads to some problems like blank pages and so on...

Crontab is having following configuration:

*/1 *    * * * www-data         /usr/bin/php /var/www/glpi/front/cron.php

Does anybode having an Idea whats the problem and why this is happening?

Last edited by doesntMatter (2023-03-07 17:27:51)

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

Re: GLPI logrotate changes owner of file.

bump

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,813

Website

Re: GLPI logrotate changes owner of file.

You may be able to use a package like "auditd" to watch for permission changes on the file to determine what is changing the ownership.
auditctl -w /var/www/glpi/files/_log/php-errors.log -p a
That command would add a watcher for the log file and filter it to watch only attribute changes like ownership or permissions.
You can check the audit log (/var/log/audit/audit.log) then for information on what was changing it.

The watch can then be removed using the same command, but with an uppercase "W" flag (The rest of the command must match exactly).
auditctl -W /var/www/glpi/files/_log/php-errors.log -p a

Last edited by cconard96 (2023-03-09 14:21:37)

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

Re: GLPI logrotate changes owner of file.

You may be able to use a package like "auditd" to watch for permission changes on the file to determine what is changing the ownership.
auditctl -w /var/www/glpi/files/_log/php-errors.log -p a
That command would add a watcher for the log file and filter it to watch only attribute changes like ownership or permissions.
You can check the audit log (/var/log/audit/audit.log) then for information on what was changing it.

The watch can then be removed using the same command, but with an uppercase "W" flag (The rest of the command must match exactly).
auditctl -W /var/www/glpi/files/_log/php-errors.log -p a

great Idea, I will try.

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

Re: GLPI logrotate changes owner of file.

You may be able to use a package like "auditd" to watch for permission changes on the file to determine what is changing the ownership.
auditctl -w /var/www/glpi/files/_log/php-errors.log -p a
That command would add a watcher for the log file and filter it to watch only attribute changes like ownership or permissions.
You can check the audit log (/var/log/audit/audit.log) then for information on what was changing it.

The watch can then be removed using the same command, but with an uppercase "W" flag (The rest of the command must match exactly).
auditctl -W /var/www/glpi/files/_log/php-errors.log -p a

great Idea, I will try.

Ok, there are some entries

...
acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
acct="www-data" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

First Line seems to be the problem. My cronjob for the root is sudo vi /etc/crontab

*/1 *    * * * www-data         /usr/bin/php /var/www/glpi/front/cron.php

I don't see any problems. Does anybody have an Idea?

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,813

Website

Re: GLPI logrotate changes owner of file.

That command is editing the system crontab.
Each user has its own.
Root: sudo crontab -e -u root

Although, it would make sense to just add the cron call into the www-data user's crontab so you don't need to worry about specifying the user inside the entry or wonder which user it really runs as.

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

Re: GLPI logrotate changes owner of file.

That command is editing the system crontab.
Each user has its own.
Root: sudo crontab -e -u root

Although, it would make sense to just add the cron call into the www-data user's crontab so you don't need to worry about specifying the user inside the entry or wonder which user it really runs as.

*/5 * * * * /var/www/glpi/bin/console ldap:sync --ldap-server-id 1 -n 2>/dev/null

If i remembering correct this is needing root-rights?

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,813

Website

Re: GLPI logrotate changes owner of file.

Nothing for GLPI should require root permissions. All commands being run through the GLPI console should be run as www-data (or whatever the web server runs as) to avoid permissions issues (like this).

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

doesntMatter

Member

Registered: 2016-07-06

Posts: 108

Re: GLPI logrotate changes owner of file.

Nothing for GLPI should require root permissions. All commands being run through the GLPI console should be run as www-data (or whatever the web server runs as) to avoid permissions issues (like this).

confirmed, thank you.