Permissions on /var/log/ files
Rick Stevens
ricks at alldigital.com
Wed Jul 17 18:08:05 UTC 2013
On 07/17/2013 08:36 AM, Reindl Harald issued this missive:
>
>
> Am 17.07.2013 16:46, schrieb Suvayu Ali:
>> On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote:
>>> On 07/17/13 22:27, Timothy Murphy wrote:
>>>> Ed Greshko wrote:
>>>>> Heck, you could always make your sudo password less and you could always
>>>>> assign the frequently used commands aliases.
>>>> I guess my question should have been:
>>>> Will it cause any problems if I change the permissions on these files?
>>>> Is there any program that won't work if you do this,
>>>> as is true eg of some .ssh and pki files?
>>>>
>>> But why bother? You can't be assured that some update or process won't go about changing them back on you. Then, you'll be scratching your head again.
>>>
>>> Does the cron job to roll log files reset things? Don't know...and I don't want to care.
>>>
>>> I prefer solutions that don't require changing things over which you don't or may not have absolute control.
>>
>> Your permission changes will be overwritten the moment a daemon sends a
>> message to syslog
>
> *no they are not*
> otherwise my /var/log/maillog on my workstation would not have 644
The correct thing to say is "if syslog(whatever) has to CREATE the file,
it will not have world-readable set. Once the file is created, syslog*
won't change the permissions. I can't speak to what logrotate will do
to them, however.
>> AFAIU, the reason the logs are owned by root is because it is written by
>> syslog (which runs as root). The motivation I think is, the logs should
>> remain untampered if your system is compromised
>
> how does chmod 644 affect *write* permissions?
It is not who writes to it that sets the permissions and ownership,
it's who creates the file in the first place. It is created by a
root process (syslog-whatever) and most of them have 600 permissions
(rw-------). You can change it later if you so wish, but there are
security issues if you give them world-readable (xx4) permissions.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Do you know how to save five drowning lawyers? No? GOOD! -
----------------------------------------------------------------------
More information about the users
mailing list