Changing permissions of /var/log/messages - Ubuntu

This is a discussion on Changing permissions of /var/log/messages - Ubuntu ; My goal is to make /var/log/messages world readable so that my bigbrother application can read and report on this log file. I updated /etc/logrotate.conf and added the following snippet: /var/log/messages { create 0644 root adm rotate 5 weekly postrotate /usr/bin/killall ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Changing permissions of /var/log/messages

  1. Changing permissions of /var/log/messages

    My goal is to make /var/log/messages world readable so that my bigbrother
    application can read and report on this log file.

    I updated /etc/logrotate.conf and added the following snippet:

    /var/log/messages {
    create 0644 root adm
    rotate 5
    weekly
    postrotate
    /usr/bin/killall -HUP syslogd
    endscript
    }

    I see no entry in /etc/logrotate.d for syslogd so I am guessing that updating
    the conf file is OK.

    The initial state of the log file....

    -rw-r----- 1 root adm 2713857 2007-09-06 15:27 /var/log/messages

    Then I run logrotate()

    $ sudo /usr/sbin/logrotate --force /etc/logrotate.conf

    $ ls -al /var/log/messages
    -rw-r--r-- 1 root adm 300 2007-09-06 15:28 /var/log/messages

    Yet, when I look at the messages file this morning the permissions were reverted
    back to the day before

    -rw-r----- 1 root adm 2713857 2007-09-07 10:27 /var/log/messages

    What am I missing?

    -Tiz

  2. Re: Changing permissions of /var/log/messages

    On Fri, 07 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    <2WfEi.49176$Um6.7817@newssvr12.news.prodigy.net>, Tiz wrote:

    >My goal is to make /var/log/messages world readable so that my bigbrother
    >application can read and report on this log file.


    The usual solution is to have that application running with enough
    privilege or the "right" group so that is can have access to the file.

    >I updated /etc/logrotate.conf and added the following snippet:
    >
    >/var/log/messages {
    > create 0644 root adm


    OK but...

    >I see no entry in /etc/logrotate.d for syslogd so I am guessing that
    >updating the conf file is OK.


    Yes although it's normal for the logs to not be readable by everyone
    on the chance that there may be sensitive information (usernames or
    passwords for example).

    >The initial state of the log file....
    >
    > -rw-r----- 1 root adm 2713857 2007-09-06 15:27 /var/log/messages


    OK

    > $ ls -al /var/log/messages
    > -rw-r--r-- 1 root adm 300 2007-09-06 15:28 /var/log/messages


    Above - not the best idea.

    >Yet, when I look at the messages file this morning the permissions were
    >reverted back to the day before
    >
    > -rw-r----- 1 root adm 2713857 2007-09-07 10:27 /var/log/messages


    Yup

    >What am I missing?


    You've been hit with a security nanny - I don't know what it is, as I
    don't tolerate such things on my systems. There is a cron-job or
    perhaps a boot script that is resetting the permissions to "sane"
    values. You'd have to look through there to find the exact cause.

    The "NORMAL" solution for a problem like this would be to run your
    bigbrother application as 'user whoever:adm' which is to say the
    user as appropriate, and the group 'adm' which does have permission
    to _read_ the log file normally.

    I'd also find and shoot the security nanny, but I've been in this
    racket for a while.

    Old guy


  3. Re: Changing permissions of /var/log/messages

    Moe Trin wrote:
    > On Fri, 07 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    > <2WfEi.49176$Um6.7817@newssvr12.news.prodigy.net>, Tiz wrote:
    >
    >> My goal is to make /var/log/messages world readable so that my bigbrother
    >> application can read and report on this log file.

    >
    > The usual solution is to have that application running with enough
    > privilege or the "right" group so that is can have access to the file.
    >
    >> I updated /etc/logrotate.conf and added the following snippet:
    >>
    >> /var/log/messages {
    >> create 0644 root adm

    >
    > OK but...
    >
    >> I see no entry in /etc/logrotate.d for syslogd so I am guessing that
    >> updating the conf file is OK.

    >
    > Yes although it's normal for the logs to not be readable by everyone
    > on the chance that there may be sensitive information (usernames or
    > passwords for example).
    >
    >> The initial state of the log file....
    >>
    >> -rw-r----- 1 root adm 2713857 2007-09-06 15:27 /var/log/messages

    >
    > OK
    >
    >> $ ls -al /var/log/messages
    >> -rw-r--r-- 1 root adm 300 2007-09-06 15:28 /var/log/messages

    >
    > Above - not the best idea.
    >
    >> Yet, when I look at the messages file this morning the permissions were
    >> reverted back to the day before
    >>
    >> -rw-r----- 1 root adm 2713857 2007-09-07 10:27 /var/log/messages

    >
    > Yup
    >
    >> What am I missing?

    >
    > You've been hit with a security nanny - I don't know what it is, as I
    > don't tolerate such things on my systems. There is a cron-job or
    > perhaps a boot script that is resetting the permissions to "sane"
    > values. You'd have to look through there to find the exact cause.
    >
    > The "NORMAL" solution for a problem like this would be to run your
    > bigbrother application as 'user whoever:adm' which is to say the
    > user as appropriate, and the group 'adm' which does have permission
    > to _read_ the log file normally.
    >
    > I'd also find and shoot the security nanny, but I've been in this
    > racket for a while.
    >
    > Old guy
    >



    OK - thanks for the update.

    My work-a-round was to add the bb user to the adm group via the /etc/group file.
    Not ideal but it is working now.

    -Tiz


  4. Re: Changing permissions of /var/log/messages

    On Mon, 10 Sep 2007, in the Usenet newsgroup alt.os.linux.ubuntu, in article
    <0igFi.4260$FO2.1316@newssvr14.news.prodigy.net>, Tiz wrote:

    >Moe Trin wrote:


    >> Tiz wrote:


    >>> My goal is to make /var/log/messages world readable so that my bigbrother
    >>> application can read and report on this log file.

    >>
    >> The usual solution is to have that application running with enough
    >> privilege or the "right" group so that is can have access to the file.


    >>> What am I missing?


    >> You've been hit with a security nanny


    >My work-a-round was to add the bb user to the adm group via the
    >/etc/group file.
    > Not ideal but it is working now.


    Depends on what else the bb user is doing. As stated, the normal mode
    is to not let everyone see the logs, because long standing experience
    says there _will_ be sensitive information that winds up there,
    either normally, or through an accident.

    Find out what (if anything) else the 'adm' user has. This MAY be an
    acceptable tradeoff.

    find / -group adm -exec ls -dl {} \;

    On the systems I'm using, group 'adm' (an administrative group from
    long ago) actually owns nothing, and has no group executables. Thus,
    for me, this would be acceptable.

    Old guy

+ Reply to Thread