Permissions on /var/log/ files
Reindl Harald
h.reindl at thelounge.net
Wed Jul 17 18:18:15 UTC 2013
Am 17.07.2013 20:08, schrieb Rick Stevens:
> On 07/17/2013 08:36 AM, Reindl Harald issued this missive:
>> *no they are not*
>> otherwise my /var/log/maillog on my workstation would not have 644
>
> The correct thing to say is "if syslog(whatever) has to CREATE the file,
> it will not have world-readable set. Once the file is created, syslog*
> won't change the permissions
that's the detail
> I can't speak to what logrotate will do to them, however.
i did: "otherwise my /var/log/maillog on my workstation would not have 644"
this is "logrotaded" - logrotate keeps the permissions/owner/group if
not specified like below (which is my own config-piece)
/var/log/scriptlog {
missingok
notifempty
size 30k
create 0644 root root
}
take a look at the files in /etc/logrotate.d/ and you can see
what happens to every single file at rotate
>>> AFAIU, the reason the logs are owned by root is because it is written by
>>> syslog (which runs as root). The motivation I think is, the logs should
>>> remain untampered if your system is compromised
>>
>> how does chmod 644 affect *write* permissions?
>
> It is not who writes to it that sets the permissions and ownership,
> it's who creates the file in the first place
i referred to "logs should remain untampered if your system is compromised"
> It is created by a
> root process (syslog-whatever) and most of them have 600 permissions
> (rw-------). You can change it later if you so wish, but there are
> security issues if you give them world-readable (xx4) permissions
surely, but that is a different topic and depens on the usecase of the machine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130717/7fbc74fd/attachment-0001.sig>
More information about the users
mailing list