logrotate with noexec /tmp



贊助商連結


wangcm
2005-10-24, 06:18 PM
最近為了安全考量在mount /tmp時把exec關掉了(OS:FC2,logrotate:v3.7),卻發現logrotate不太正常----有移檔的動作,但postrotate script執行失敗,用strace看到以下log.....

gettimeofday({1130145302, 166360}, NULL) = 0
getpid() = 1981
open("/tmp/logrotate.Uc83H1", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 3
fchmod(3, 0700) = 0
write(3, "#!/bin/sh\n\n", 11) = 11
write(3, "\n\t\t/bin/kill -HUP `cat /var/run/"..., 78 = 78
close(3) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, chil
d_tidptr=0xf6ffab68) = 1982
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 1982
unlink("/tmp/logrotate.Uc83H1") = 0
write(2, "error: ", 7error: ) = 7
write(2, "error running postrotate script\n", 32error running postrotate script
) = 32

看來是logrotate runtime時會在/tmp下動態產生shell script卻無法執行所致,請問除了不要關掉/tmp的exec之外有其它讓logrotate正常執行的好方法嗎 :) :) ....