[SERVER-36251] change logfile permissions. Created: 24/Jul/18  Updated: 27/Oct/23  Resolved: 09/Aug/18

Status: Closed
Project: Core Server
Component/s: Admin, Logging
Affects Version/s: 3.6.5
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: bae eunmi Assignee: Nick Brewer
Resolution: Works as Designed Votes: 1
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB shell version v3.6.5
git version: a20ecd3e3a174162052ff99913bc2ca9a839d618
allocator: tcmalloc
modules: none
build environment:
distarch: x86_64
target_arch: x86_64


Issue Links:
Related
is related to SERVER-69819 SELinux denial following log rotation Backlog
Participants:

 Description   

There are some questions about mongod permissions.

When you restart or start mongod, the permissions of the mongo log are 644.
However, when logrotate is run, the permissions of the mongod log change to 600.
I wonder why this is happening.

And I do not want to change the log permissions. I need 644.
So, I want to know how permissions do not change.

 

===========================================

1). mongo --version
MongoDB shell version v3.6.5
git version: a20ecd3e3a174162052ff99913bc2ca9a839d618
allocator: tcmalloc
modules: none
build environment:
distarch: x86_64
target_arch: x86_64

 

2. lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708
Codename: Core

 

3. service mongod start (or service mongod restart )
 
total 1728
drwxr-xr-x 2 root root 290 Jul 24 17:14 .
drwxr-xr-x 8 root root 90 Jul 18 10:55 ..
{color:#FF0000}-rw-r--r--{color} 1 root root 8656 Jul 24 17:14 mongod.log   {color:#FF0000} <=== chmod : 644{color}
-rw------- 1 root root 148090 Jul 19 10:00 mongod.log.2018-07-19T01-00-02
-rw------- 1 root root 119319 Jul 20 10:00 mongod.log.2018-07-20T01-00-02
-rw------- 1 root root 113986 Jul 21 10:00 mongod.log.2018-07-21T01-00-02

 

admin> db.runCommand(\{ logRotate: 1 });
 
 
 
total 1732
drwxr-xr-x 2 root root 328 Jul 24 17:17 .
drwxr-xr-x 8 root root 90 Jul 18 10:55 ..
{color:#FF0000}-rw-------{color} 1 root root 2825 Jul 24 17:17 mongod.log    {color:#FF0000}<=== chmod : 600{color}
-rw------- 1 root root 148090 Jul 19 10:00 mongod.log.2018-07-19T01-00-02
-rw------- 1 root root 119319 Jul 20 10:00 mongod.log.2018-07-20T01-00-02
-rw------- 1 root root 113986 Jul 21 10:00 mongod.log.2018-07-21T01-00-02



 Comments   
Comment by bae eunmi [ 10/Aug/18 ]

I will apply it.  nick.brewer thank you!

Comment by Nick Brewer [ 09/Aug/18 ]

piook You can instruct MongoDB log rotation to honor the system umask via the honorSystemUmask server parameter. Note that this must be applied when the server is started.

-Nick

Comment by Nick Brewer [ 25/Jul/18 ]

I'm passing this along to our Platform team for additional investigation.

-Nick

Comment by lee mingyu [ 25/Jul/18 ]

I have the same problem so I can't  read the mongod log file (for example  td-agent, logstash and so on)

Comment by Nick Brewer [ 24/Jul/18 ]

Thanks for your report - so far I have been able to recreate this in my testing. I'm going to continue looking into it, and I should have more information for you soon.

Regards,
Nick

Generated at Thu Feb 08 04:42:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.