Exim going down every day due to log permissions

[vandal]

Hello,

At some point during the day something is changing my /var/log/exim/mainlog and mainlog.1 so that's it owned by root and then exim breaks giving me:

from /var/log/exim/paniclog

2008-09-18 14:08:02 1KgOrC-000148-Ew Cannot open main log file "/var/log/exim/mainlog": Permission denied: euid=8 egid=12

Once I change it back to mail.mail (chown -R mail.mail) it works again but the log file permissions are still being changed everyday. It just started yesterday for the first time and it happened again today, both around the same times.

When it's broken the log files look like this:

[root@zeus (/var/log/exim)] # ls -al
drwxr-xr-x    2 mail     mail         4096 Sep 18 14:00 .
drwx--x--x   12 root     root         4096 Sep 18 14:00 ..
-rw-r--r--    1 root     root            0 Sep 18 14:00 mainlog
-rw-r--r--    1 root     root       516172 Sep 18 12:58 mainlog.1
-rw-r--r--    1 mail     mail            0 Sep 18 11:12 mainlog.2
-rw-r--r--    1 mail     mail      1131356 Sep 18 11:12 mainlog.3
-rw-r--r--    1 mail     mail      1401438 Sep 18 10:04 mainlog.4
.....etc

as you can see mainlog is owned by root but I have no idea why...thinking it could be logrotate doing something bad...but why start yesterday?

It also seems exim is running sometimes as root or sometimes as the mail user...is this normal behavior?

[root@zeus (/etc)] # ps aux | grep exim
mail     17011  0.0  0.1  6700 2060 ?        S    15:44   0:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
root     17768  0.0  0.0  6652 1908 ?        S    15:45   0:00 /usr/sbin/exim -q
root     17772  0.0  0.1 10204 3404 ?        S    15:45   0:00 /usr/sbin/exim -q
mail     17773  0.0  0.1 10204 3444 ?        S    15:45   0:00 /usr/sbin/exim -q
mail     17910  0.1  0.0  6672 1900 ?        S    15:45   0:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
root     17911  1.0  0.0  6656 1908 ?        S    15:45   0:00 /usr/sbin/exim -q

Another odd thing is in my /etc/group I have a postfix user beside my mail user:

mail:x:12:mail,postfix

Also have a postfix user in /etc/passwd this is all on a RHEL 3 box.

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Anyone have any ideas?

 

[chatwizrd]

What user has uid of 8 and what group has gid of 12

 

[vandal]

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

It appears mail does.

 

[chatwizrd]

That sucks. Not sure what would cause that. There must be a cron that does something to the config and then it doesnt chown it right. Maybe when it does the log rotation?

 

[vandal]

Yeah it's very strange. Can anyone post their

/etc/logrotate.d/exim

Thanks

 

[DirectAdmin Support]

[root@server logrotate.d]# cat exim
/var/log/exim/mainlog /var/log/exim/processlog /var/log/exim/rejectlog /var/log/exim/paniclog {
sharedscripts
}

Note that I don't believe the rotation recreates the logs.. it usually will just issue an HUP to exim (at most) or else when exim next creates a log, it will append to the non-existant file, thus it gets created.

Make sure that /var/log/exim is chowned to mail:mail in case the system's file permissions defaults inherit that of the directory the file is in.

John

 

[duzap]

Hello guys, I have the exactly same problem like this guy mentioned above.
my server is running on FreeBSD 7.1-PRERELEASE with Exim 4.69 that I installed through pkg_add from this link: http://files.directadmin.com/services/freebsd7.0/da_exim-4.69-2.tgz

Exim is always crash at some point in the day and I need to run 'chown -R mail:mail /var/log/exim/' to fix this problem, but then its chowned again to 'root'.
really weird and annoying problem, I hope that someone could find a fix.

 

[scsi]

Did you install exim any other way.

pkg_info | grep -i exim

 

[duzap]

# pkg_info | grep -i exim
exim-4.69-1         exim 4.69 mail server

and I was mistake, the ownership of /var/log/exim/ isn't changed to 'root', its changed to 'mailnull'

so its look like this:

# ls -al
total 5038
drwxr-xr-x  2 mail      mail     1024 Nov 22 00:00 .
drwxr-xr-x  6 root      wheel    1536 Nov 22 07:00 ..
-rw-r-----  1 mailnull  mail    49667 Nov 22 03:22 mainlog
-rw-r-----  1 mailnull  mail       85 Nov 22 00:00 mainlog.0.gz
-rw-r-----  1 mailnull  mail   407484 Nov 22 00:00 mainlog.1
-rw-r-----  1 mailnull  mail       83 Nov 21 00:00 mainlog.2.gz
-rw-r-----  1 mailnull  mail   384598 Nov 21 00:00 mainlog.3
-rw-r-----  1 mailnull  mail       85 Nov 20 00:00 mainlog.4.gz
-rw-r-----  1 mailnull  mail   252236 Nov 20 00:00 mainlog.5
-rw-r-----  1 mailnull  mail   179620 Nov 19 00:00 mainlog.6
-rw-r-----  1 mailnull  mail   239006 Nov 18 00:00 mainlog.7
-rw-------  1 mail      mail   403115 Nov 22 08:15 paniclog
-rw-------  1 mail      mail   401708 Nov 22 00:00 paniclog.0
-rw-------  1 mail      mail   560420 Nov 21 00:00 paniclog.1
-rw-------  1 mail      mail   566331 Nov 20 00:00 paniclog.2
-rw-------  1 mail      mail   613547 Nov 19 00:00 paniclog.3
-rw-------  1 mail      mail   831496 Nov 18 00:00 paniclog.4
-rw-r-----  1 mailnull  mail       57 Nov 22 00:00 rejectlog
-rw-r-----  1 mailnull  mail       87 Nov 22 00:00 rejectlog.0.gz
-rw-r-----  1 mailnull  mail      991 Nov 22 00:00 rejectlog.1
-rw-r-----  1 mailnull  mail       85 Nov 21 00:00 rejectlog.2.gz
-rw-r-----  1 mailnull  mail      291 Nov 21 00:00 rejectlog.3
-rw-r-----  1 mailnull  mail       87 Nov 20 00:00 rejectlog.4.gz
-rw-r-----  1 mailnull  mail      408 Nov 20 00:00 rejectlog.5
-rw-r-----  1 mailnull  mail      432 Nov 19 00:00 rejectlog.6
-rw-r-----  1 mailnull  mail      113 Nov 18 00:00 rejectlog.7
#

the exim always running as "mail"
mail 45848 0.0 0.1 7108 2720 ?? IsJ 8:22AM 0:00.01 /usr/sbin/exim



and yes, I tried to install exim in other ways before, so maybe I spoiled something :/


*edit*
I think I found the problem!
In the first time, I installed exim from this source: http://www.devco.net/pubwiki/FreeBSD/EximBasicInstall
And I added two lines to the /etc/newsyslog.conf file

/var/log/exim/mainlog   mailnull:mail 640 7 * @T00 ZN
/var/log/exim/rejectlog mailnull:mail 640 7 * @T00 ZN

So its seems that everything was coming from here, I removed these lines now, I am pretty sure that it caused the problem.

thanks you scsi, because your post I thought again what I did wrong BEFORE.