Bug#873062: /var/log/ulogd not accesible using sudo

[Chris Boot]

Control: tags -1 moreinfo

On 24/08/2017 08:44, Arturo Borrero Gonzalez wrote:
> Dear Maintainer,
> 
> the ulogd2 package creates /var/log/ulogd upon installation for logs to be
> there.
> 
> Problem is that with the default permissions, this directory is not available
> for users using 'sudo', i.e. this is not possible:
> 
>  % sudo tailf -f /var/log/ulogd/mylog.log
> 
> We should change user/group/permissions of this directory to easy system
> administration.
> Probably simply "chmod -R go+rx" is enough.

Hi Arturo,

The directory created by the ulogd2 package in Debian is /var/log/ulog,
rather than /var/log/ulogd. I will assume this is a typo on your bug
report rather than you using a different directory.

The sudo with tail should work just fine, but I assume the issue is you
can't see within the ulogd directory in order to tab-complete the file
names. Is my assumption correct?

Either way, my understanding is that the most efficient way to grant
users read access to log files is by adding them to the 'adm' group. You
will find the /var/log/ulog directory has 'adm' group ownership and r-x
group permissions, and files within should also be readable by the adm
group: the logrotate job rotates *.log and *.pcap in there and creates
empty files with adm group ownership and read privileges.

On my systems with a fairly stock ulogd.conf the permissions look like this:

drwxr-x--- 2 ulog adm4096 Aug 21 06:25 /var/log/ulog/
-rw-r- 1 ulog adm 2315797 Aug 24 08:56 /var/log/ulog/syslogemu.log

Is this not what you are seeing on your ulogd installations?

Regards,
Chris

-- 
Chris Boot
bo...@debian.org
GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE 

Bug#873062: /var/log/ulogd not accesible using sudo

[Arturo Borrero Gonzalez]

On 24 August 2017 at 09:59, Chris Boot  wrote:
>
> The directory created by the ulogd2 package in Debian is /var/log/ulog,
> rather than /var/log/ulogd. I will assume this is a typo on your bug
> report rather than you using a different directory.

yes.

>
> The sudo with tail should work just fine, but I assume the issue is you
> can't see within the ulogd directory in order to tab-complete the file
> names. Is my assumption correct?
>

yes :-/

> Either way, my understanding is that the most efficient way to grant
> users read access to log files is by adding them to the 'adm' group. You
> will find the /var/log/ulog directory has 'adm' group ownership and r-x
> group permissions, and files within should also be readable by the adm
> group: the logrotate job rotates *.log and *.pcap in there and creates
> empty files with adm group ownership and read privileges.
>

Great, Chris. Fair enough, you are right :-)

Closing this bug now. Sorry for the noise.

Bug#873062:

[Arturo Borrero Gonzalez]

I think this is basically asking for the opposite of #846843 [0].
What is the point on disallowing root access using sudo?

[0] https://bugs.debian.org/846843

Bug#873062: /var/log/ulogd not accesible using sudo

[Arturo Borrero Gonzalez]

Package: ulogd2
Version: 2.0.5-5
Severity: normal

Dear Maintainer,

the ulogd2 package creates /var/log/ulogd upon installation for logs to be
there.

Problem is that with the default permissions, this directory is not available
for users using 'sudo', i.e. this is not possible:

 % sudo tailf -f /var/log/ulogd/mylog.log

We should change user/group/permissions of this directory to easy system
administration.
Probably simply "chmod -R go+rx" is enough.

I could try to patch this myself.