[389-users] acl on logs, 389 strips effective rights mask.
German Parente
gparente at redhat.com
Fri Feb 13 08:31:27 UTC 2015
Hi William,
the access mode for the rhds logs is set in these configuration settings under cn=config:
nsslapd-auditlog-mode
nsslapd-errorlog-mode
nsslapd-accesslog-mode
I don't know whether we could use a value to just inherit from acl defined.
Regards,
German
----- Original Message -----
> From: "William" <william at firstyear.id.au>
> To: "389-users" <389-users at lists.fedoraproject.org>
> Sent: Friday, February 13, 2015 1:21:25 AM
> Subject: [389-users] acl on logs, 389 strips effective rights mask.
>
> Hi,
>
> We have a log monitoring system that we are attempting to give access to
> be able to read our dirsrv access, error, and audit logs to. We have set
> the default ACL on /var/log/dirsrv/slapd-inst/ to be:
>
>
> # file: .
> # owner: nobody
> # group: nobody
> user::rwx
> user:splunk:r-x
> group::rwx #effective:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:splunk:r-x
> default:group::rwx #effective:r-x
> default:mask::r-x
> default:other::---
>
>
> When you touch a test file it correctly inherits the ACL:
>
> # file: test
> # owner: nobody
> # group: nobody
> user::rw-
> user:splunk:r-x
> group::rwx #effective:r-x
> mask::r-x
> other::---
>
> However, once 389 rotates the logs the permissions are incorrectly set
> to:
>
>
> # file: access
> # owner: nobody
> # group: nobody
> user::rw-
> user:splunk:r-x #effective:---
> group::rwx #effective:---
> mask::---
> other::---
>
>
> IE the effective rights mask is stripped.
>
> I believe that there is something that is happening in the 389 log
> rotation process that causes this to be stripped, I just can't identify
> what. Any advice would be appreciated.
>
> Sincerely,
>
> --
> William <william at firstyear.id.au>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list