Permission denied when logrotating dovecot.log

Richard inbound-dovecot at listmail.innovate.net
Sun Mar 19 04:40:47 EET 2017 


> Date: Sunday, March 19, 2017 15:28:35 +1300
> From: Michael Heuberger <michael.heuberger at binarykitchen.com>
>
> On 19/03/17 15:12, Richard wrote:
>> 
>>> Date: Sunday, March 19, 2017 14:56:01 +1300
>>> From: Michael Heuberger <michael.heuberger at binarykitchen.com>
>>> 
>>> On 19/03/17 13:43, Richard wrote:
>>>>> Date: Sunday, March 19, 2017 13:32:57 +1300
>>>>> From: Michael Heuberger <michael.heuberger at binarykitchen.com>
>>>>> 
>>>>> Hello guys
>>>>> 
>>>>> Having headaches here how to make logrotation for dovecot log
>>>>> files work. Having permission issues:
>>>>> 
>>>>> michael.heuberger at xxx /e/l/daily ❯❯❯ sudo logrotate -fv
>>>>> dovecot.daily
>>>>>>>>>> reading config file dovecot.daily
>>>>> 
>>>>> Handling 1 logs
>>>>> 
>>>>> rotating pattern: /var/log/dovecot*.log  forced from command
>>>>> line (10 rotations)
>>>>> empty log files are rotated, old logs are removed
>>>>> considering log /var/log/dovecot.log
>>>>> error: skipping "/var/log/dovecot.log" because parent directory
>>>>> has insecure permissions (It's world writable or writable by
>>>>> group which is not "root") Set "su" directive in config file to
>>>>> tell logrotate which user/group should be used for rotation.
>>>>> 
>>>>> This is my current logrotation conf for dovecot:
>>>>> 
>>>>> /var/log/dovecot*.log {
>>>>>         rotate 10
>>>>>         missingok
>>>>>         sharedscripts
>>>>>         postrotate
>>>>>             doveadm log reopen
>>>>>         endscript
>>>>> }
>>>>> 
>>>>> And the /var/log folder has these permissions:
>>>>> 
>>>>> drwxrwxr-x 12 root     syslog   4.0K Mar 19 12:43 log
>>>>> 
>>>>> Any clues what's wrong?
>>>> As the message says:
>>>> 
>>>>   > because parent directory has insecure permissions
>>>>   > (It's world writable or writable by group which
>>>>   > is not "root") 
>>>> 
>>>>   > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>>>> 
>>>> On my RHEL derived systems, /var/log is root.root (and even then,
>>>> is not writable by group).
>>> Thank you. And what user/group/file perms does your dovecot.log
>>> file have?
>>> 
>>> - Michael
>>> 
>>> 
>> I log dovecot via syslog to [/var/log/]maillog, rather than its own
>> log file. That file is owned root.root and has permissions of 600.

> Well, I tried the same but it didn't work.
> 
> Setting my dovecot.log to 600 with root:root is breaking my mail
> system. I am then unable to receive and open emails.
> 
> Had to apply an ugly hack
> 
> /var/log/dovecot*.log {
>         su syslog syslog
>         create 666 syslog syslog
>         rotate 10
>         ...
> }
> 
> Like that anyone who wants to access/write to it, can do it and all
> works.
> 
> That's my problem. Do not know who/what/how to set this up
> correctly.
> 
> - Michael
> 

I would be inclined to just log dovecot to the syslog mail facility,
which I believe is the default (in 10-logging.conf) -- in the RHEL
setup anyway, and what I do:

   log_path = syslog

   syslog_facility = mail

More information about the dovecot mailing list