Logrotate Set File Permissions


If you have ever wondered why your log files randomly change permissions each night. Logrotate could be up to its tricks. Similar to the other article I published on Why is apache randomly restarting which explains why logrotate could be causing apache to restart randomly.

Logrotate Set File Permissions

Each time logrotate runs its course, it will compress, rename and remove older files. Remember that a rename is essentially just a ‘move’ operation. This causes some of your log files to no longer exist (since then have been compressed and renamed). Luckily logrotate will attempt to recreate these files and will set some permissions for it.

Post Rotate

Once the logs are rotated, logrotate will execute any commands set in the post rotate part of the script. For example, my logrotate apache config tells it to restart apache.
It restarts apache so apache can recreates any missing log files. Then the permissions that the newly created log files get are determined by the config file for logrotate.

Example Logrotate Apache Config

/var/www/*/logs/*.log {
        rotate 52
        create 640 root adm
                /etc/init.d/apache2 reload > /dev/null

Choosing The Log Permissions

Edit the logrotate apache file which under Debian is usually found under:

vi /etc/logrotate.d/apache2

Inside this file and most logrotate config files, you will see an entry like this

create 640 root adm

This basically tells logrotate to create any missing files, with the permissions of 640 (640 being the standard unix permisson bits) and root as the user with adm as the group.

Simple as that!