From c42dc1e55aac5ef1c97b991bec7070de7684307c Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Tue, 19 Aug 2025 16:02:18 +0200
Subject: [PATCH] CMake: remove logrotate version detection

This was used to detect the presence of version 3.8.0 which introduced the "su"
config option[^1]. It was releases in 2011, so I'd say it's time that we can
just assume that it's supported.

Additionally, this has a bit of a security impact as it defaults to not using
the "su" option, which means that logrotate will do more than necessary as
root. This happened with our packages as these were built without logrotate
being installed, which caused the version detection to fail. Just assuming the
new version here instead of adding it as a non-obvious build dependency should
be the more robust fix.

[^1]: https://github.com/logrotate/logrotate/blob/r3-8-0/CHANGES#L6-L8
---
 CMakeLists.txt                | 19 -------------------
 etc/logrotate.d/icinga2.cmake | 10 ++++++----
 2 files changed, 6 insertions(+), 23 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1a087b8ed..59b86f8d0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -153,25 +153,6 @@ if(WIN32)
   endif()
 endif()
 
-if(NOT DEFINED LOGROTATE_HAS_SU)
-  set(LOGROTATE_HAS_SU OFF)
-  find_program(LOGROTATE_BINARY logrotate)
-  execute_process(COMMAND ${LOGROTATE_BINARY} ERROR_VARIABLE LOGROTATE_OUTPUT)
-  if(LOGROTATE_OUTPUT)
-    string(REGEX REPLACE "^logrotate ([0-9.]*).*" "\\1" LOGROTATE_VERSION
-      ${LOGROTATE_OUTPUT})
-    message(STATUS "Found logrotate (found version \"${LOGROTATE_VERSION}\")")
-    if("${LOGROTATE_VERSION}" VERSION_GREATER "3.7.9")
-      set(LOGROTATE_HAS_SU ON)
-    endif()
-  endif()
-endif()
-if(LOGROTATE_HAS_SU)
-  set(LOGROTATE_USE_SU "\n\tsu ${ICINGA2_USER} ${ICINGA2_GROUP}")
-else()
-  set(LOGROTATE_CREATE "\n\tcreate 644 ${ICINGA2_USER} ${ICINGA2_GROUP}")
-endif()
-
 find_package(Boost ${BOOST_MIN_VERSION} COMPONENTS coroutine context date_time filesystem iostreams thread program_options regex REQUIRED)
 
 # Boost.Coroutine2 (the successor of Boost.Coroutine)
diff --git a/etc/logrotate.d/icinga2.cmake b/etc/logrotate.d/icinga2.cmake
index f0a9e59ae..dc0294530 100644
--- a/etc/logrotate.d/icinga2.cmake
+++ b/etc/logrotate.d/icinga2.cmake
@@ -1,10 +1,11 @@
 @ICINGA2_LOGDIR@/icinga2.log @ICINGA2_LOGDIR@/debug.log {
 	daily
-	rotate 7@LOGROTATE_USE_SU@
+	rotate 7
+	su @ICINGA2_USER@ @ICINGA2_GROUP@
 	compress
 	delaycompress
 	missingok
-	notifempty@LOGROTATE_CREATE@
+	notifempty
 	postrotate
 		/bin/kill -USR1 $(cat @ICINGA2_INITRUNDIR@/icinga2.pid 2> /dev/null) 2> /dev/null || true
 	endscript
@@ -12,10 +13,11 @@
 
 @ICINGA2_LOGDIR@/error.log {
 	daily
-	rotate 90@LOGROTATE_USE_SU@
+	rotate 90
+	su @ICINGA2_USER@ @ICINGA2_GROUP@
 	compress
 	delaycompress
 	missingok
-	notifempty@LOGROTATE_CREATE@
+	notifempty
 	# TODO: figure out how to get Icinga to re-open this log file
 }