Permissions on /var/log/ files

Rick Stevens ricks at alldigital.com
Wed Jul 17 18:08:05 UTC 2013 

On 07/17/2013 08:36 AM, Reindl Harald issued this missive:
>
>
> Am 17.07.2013 16:46, schrieb Suvayu Ali:
>> On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote:
>>> On 07/17/13 22:27, Timothy Murphy wrote:
>>>> Ed Greshko wrote:
>>>>> Heck, you could always make your sudo password less and you could always
>>>>> assign the frequently used commands aliases.
>>>> I guess my question should have been:
>>>> Will it cause any problems if I change the permissions on these files?
>>>> Is there any program that won't work if you do this,
>>>> as is true eg of some .ssh and pki files?
>>>>
>>> But why bother?  You can't be assured that some update or process won't go about changing them back on you.  Then, you'll be scratching your head again.
>>>
>>> Does the cron job to roll log files reset things?  Don't know...and I don't want to care.
>>>
>>> I prefer solutions that don't require changing things over which you don't or may not have absolute control.
>>
>> Your permission changes will be overwritten the moment a daemon sends a
>> message to syslog
>
> *no they are not*
> otherwise my /var/log/maillog on my workstation would not have 644

The correct thing to say is "if syslog(whatever) has to CREATE the file,
it will not have world-readable set. Once the file is created, syslog*
won't change the permissions. I can't speak to what logrotate will do
to them, however.

>> AFAIU, the reason the logs are owned by root is because it is written by
>> syslog (which runs as root).  The motivation I think is, the logs should
>> remain untampered if your system is compromised
>
> how does chmod 644 affect *write* permissions?

It is not who writes to it that sets the permissions and ownership,
it's who creates the file in the first place. It is created by a
root process (syslog-whatever) and most of them have 600 permissions
(rw-------). You can change it later if you so wish, but there are
security issues if you give them world-readable (xx4) permissions.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      Do you know how to save five drowning lawyers?  No?  GOOD!    -
----------------------------------------------------------------------

More information about the users mailing list