Ruby manages to fail opening a 644 file as read-only

Question

$ ruby -v
ruby 1.8.7 (2010-01-10 patchlevel 249) [x86_64-linux]

This is the important line on the script (/etc/munin/plugins/nginx_status_codes.rb:31):

File.open("/var/log/nginx/access.log", File::RDONLY).readlines.each do |line|

My access log has global read permissions:

$ ls -lha /var/log/nginx/access.log
-rw-r--r-- 1 www-data adm 49M May  1 15:56 /var/log/nginx/access.log

The script works if I run from the terminal as a regular user...

$ /etc/munin/plugins/nginx_status_codes > /dev/null && echo $?
0

...but it fails if ran by Munin (which runs as root):

2012/05/01-15:54:05 [3988]  /etc/munin/plugins/nginx_status_codes:31:in `initialize': Permission denied - /var/log/nginx/access.log (Errno::EACCES)
2012/05/01-15:54:05 [3988]      from /etc/munin/plugins/nginx_status_codes:31:in `open'
2012/05/01-15:54:05 [3988]      from /etc/munin/plugins/nginx_status_codes:31

It also fails if I set the file permissions to 777 or whatever. I'm thinking Ruby is just being stupid and reporting the wrong exception (Errno:EACCES) and masquerading the real issue. But what would it be?

UPDATE: Tried to "fix" it by having the script owned by root:root and even with sid/gid bits set it manages to fail with permission denied.

Answer 1

Nevermind. The problem was that logrotation was in place and it changed the log file permissions every now and then:

$ cat /etc/logrotate.d/nginx 
/var/log/nginx/*.log {
    daily
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 0640 www-data adm
    sharedscripts
    prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
            run-parts /etc/logrotate.d/httpd-prerotate; \
        fi; \
    endscript
    postrotate
        [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
    endscript
}