[389-users] acl on logs, 389 strips effective rights mask.
William
william at firstyear.id.au
Fri Feb 13 00:21:25 UTC 2015
Hi,
We have a log monitoring system that we are attempting to give access to
be able to read our dirsrv access, error, and audit logs to. We have set
the default ACL on /var/log/dirsrv/slapd-inst/ to be:
# file: .
# owner: nobody
# group: nobody
user::rwx
user:splunk:r-x
group::rwx #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:splunk:r-x
default:group::rwx #effective:r-x
default:mask::r-x
default:other::---
When you touch a test file it correctly inherits the ACL:
# file: test
# owner: nobody
# group: nobody
user::rw-
user:splunk:r-x
group::rwx #effective:r-x
mask::r-x
other::---
However, once 389 rotates the logs the permissions are incorrectly set
to:
# file: access
# owner: nobody
# group: nobody
user::rw-
user:splunk:r-x #effective:---
group::rwx #effective:---
mask::---
other::---
IE the effective rights mask is stripped.
I believe that there is something that is happening in the 389 log
rotation process that causes this to be stripped, I just can't identify
what. Any advice would be appreciated.
Sincerely,
--
William <william at firstyear.id.au>
More information about the 389-users
mailing list