search

logrotate / logrotate

The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files.
GNU General Public License v2.0
1.29k stars 197 forks source link

Cannot find logrotate UID in passwd file with container #463

Closed MarsLenug closed 2 years ago

MarsLenug commented 2 years ago

Hi everyone,

should not allow the user to uid/gid numerically with container, When i executed the command 

logrotate -f -s /etc/nginx/cron/logrotate.state /etc/nginx/cron/logrotate

error: 

error: Cannot find logrotate UID (1001) in passwd file: Success

images dockerfile:

FROM debian:bullseye-slim
...
RUN set -ex \
  && apt update \
  && apt install -y --no-install-suggests --no-install-recommends \
              busybox logrotate cron \
  && rm -rf /tmp/packages \
  && rm -rf /var/lib/apt/lists/
...

docker-compose:

version: '3'
  nginx:
    container_name: nginx-logrotate
    user: 1001:1001
    ports:
      - 80:8080
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/conf:/etc/nginx/conf:ro
      - ./nginx/cron:/etc/nginx/cron
      - ./nginx/log:/var/log/nginx
    restart: unless-stopped

host bash

[docker@localhost ~]$ whoami
docker
[docker@localhost ~]$ id
uid=1001(docker) gid=1001(docker) groups=1001(docker)

container bash

I have no name!@86ea55588bc8:/$ whoami
whoami: cannot find name for user ID 1001

I have no name!@86ea55588bc8:/$ id
uid=1001 gid=1001 groups=1001

I have no name!@86ea55588bc8:/$ ls -l /etc/nginx/cron
total 12
-rw-r--r--. 1 1001 1001 397 Sep  7 18:43 logrotate
-rw-r-----. 1 1001 1001  29 Sep  7 21:41 logrotate.state
-rw-rw-r--. 1 1001 1001  51 Sep  7 20:22 supercronic

I have no name!@86ea55588bc8:/$ logrotate -dv -s /etc/nginx/cron/logrotate.state /etc/nginx/cron/logrotate
WARNING: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

error: Cannot find logrotate UID (1001) in passwd file: Success
Reading state from file: /etc/nginx/cron/logrotate.state
Allocating hash table for state file, size 64 entries

Handling 0 logs

I have no name!@86ea55588bc8:/$ logrotate -f -s /etc/nginx/cron/logrotate.state /etc/nginx/cron/logrotate
error: Cannot find logrotate UID (1001) in passwd file: Success

container /etc/passwd

root@86ea55588bc8:/# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
nginx:x:101:101:nginx user,,,:/nonexistent:/bin/false

Can someone help me out ?

MarsLenug commented 2 years ago

similar like alpine

container bash:

[docker@localhost ~]$ docker exec -it nginx sh

/ $ id
uid=1001 gid=1001

/ $ whoami
whoami: unknown uid 1001

/ $ logrotate -d -s /etc/nginx/cron/logrotate.state /etc/nginx/cron/logrotate
WARNING: logrotate in debug mode does nothing except printing debug messages!  Consider using verbose mode (-v) instead if this is not what you want.

error: Cannot find logrotate UID (1001) in passwd file: No such file or directory
Reading state from file: /etc/nginx/cron/logrotate.state
Allocating hash table for state file, size 64 entries

Handling 0 logs

/ $ logrotate -f -s /etc/nginx/cron/logrotate.state /etc/nginx/cron/logrotate
error: Cannot find logrotate UID (1001) in passwd file: No such file or directory
kdudka commented 2 years ago

The code that errors out when getpwuid(getuid()) fails has been there since 2011 (since commit fa839dc240a623479373332c7a0a171da34e8399). I believe that commit 808401ebd6371c295a815bfb556d9881963acfa9 made the call redundant unless logrotate runs with UID 0, which is apparently not your case.

@cgzones Any objection to removing the code in question?

--- a/config.c
+++ b/config.c
@@ -1046,23 +1046,16 @@ static int readConfigFile(const char *configFile, struct logInfo *defConfig)
     if (!S_ISREG(sb_config.st_mode)) {
         message(MESS_DEBUG,
                 "Ignoring %s because it's not a regular file.\n",
                 configFile);
         close(fd);
         return 0;
     }

-    if (!getpwuid(getuid())) {
-        message(MESS_ERROR, "Cannot find logrotate UID (%d) in passwd file: %s\n",
-                getuid(), strerror(errno));
-        close(fd);
-        return 1;
-    }
-
     if (getuid() == ROOT_UID) {
         if ((sb_config.st_mode & 07533) != 0400) {
             message(MESS_WARN,
                     "Potentially dangerous mode on %s: 0%o\n",
                     configFile, (unsigned) (sb_config.st_mode & 07777));
         }

         if (sb_config.st_mode & 0022) {
cgzones commented 2 years ago

I do not see any reason to not remove that code.

kdudka commented 2 years ago

Perfect. I have submitted #464 to fix this.