Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 06:59:06PM -0700, T.C. Hollingsworth wrote: > What gotchas, out of curiosity? > I've always done this with `usermod -aG group user`. Would that also > be affected? That's fine too. -a didn't aways exist, which made it painful, because you had to get the current list and re-list them all. *reads shadow-utils changelog* Oh man. That's been there since 2005. Well, I guess I'm old. :) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 6:54 PM, Matthew Miller wrote: > system-config-users seems to be still available. It's moderately > user-friendly. From the command line, I think 'gpasswd groupname -a > username' is the easiest. (You can use groupmod, but it's got some gotchas > with behavior where gpasswd is straightforward despite the > irrelevant-sounding name.) What gotchas, out of curiosity? I've always done this with `usermod -aG group user`. Would that also be affected? -T.C. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Thu, Jul 18, 2013 at 11:07:13AM +0930, Tim wrote: > Allegedly, on or about 17 July 2013, Matthew Miller sent: > > Type "groups" without your username to show your _current_ groups -- > > remember that adding yourself to a group doesn't take effect until you > > start a new session. (E.g. by logging out and in again.) > Or opening a new terminal? If the terminal starts a new login session, yes. They usually default to _not_. You can type 'exec su $USER' and then your password at the prompt... (I don't think bash -l will work.) > Darned if I can see an easy way to add groups to a user, now. The users > control GUI doesn't have any options regarding groups. Damn this > dumbing down of Gnome. system-config-users seems to be still available. It's moderately user-friendly. From the command line, I think 'gpasswd groupname -a username' is the easiest. (You can use groupmod, but it's got some gotchas with behavior where gpasswd is straightforward despite the irrelevant-sounding name.) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Allegedly, on or about 17 July 2013, Matthew Miller sent: > Type "groups" without your username to show your _current_ groups -- > remember that adding yourself to a group doesn't take effect until you > start a new session. (E.g. by logging out and in again.) Or opening a new terminal? Darned if I can see an easy way to add groups to a user, now. The users control GUI doesn't have any options regarding groups. Damn this dumbing down of Gnome. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.8-100.fc17.x86_64 #1 SMP Thu Jun 27 19:19:57 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Am 17.07.2013 21:15, schrieb Joe Zeff:
> On 07/17/2013 11:18 AM, Reindl Harald wrote:
>> i did: "otherwise my /var/log/maillog on my workstation would not have 644"
>> this is "logrotaded" - logrotate keeps the permissions/owner/group if
>> not specified like below (which is my own config-piece)
>>
>> /var/log/scriptlog {
>> missingok
>> notifempty
>> size 30k
>> create 0644 root root
>> }
>
> I'm the only person who ever uses my laptop. If I wanted, then, I could use
> this to make /var/log/messages world
> readable for convenience. No, I'm not going to do it because unless I do it
> to all of my machines it's too
> confusing to remember which ones I've done it to and which I haven't, and I
> don't think it's a good idea in
> general. (If nothing else, needing root access to read that file reminds you
> that what you're doing is "admin
> stuff," not normal user things.)
this is a very very bad reminder because you do not
all day long "cat /var/log/messages"
PS1="\[\033[1;31m\][\u@\h:\w]$\[\033[0m\]
in your /root/.basrc leading to a red prompt is a much better one
signature.asc
Description: OpenPGP digital signature
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, 2013-07-17 at 23:04 +0200, Suvayu Ali wrote: > PS: I guess I'm not thinking straight today. This thread has plenty > of evidence to that. :-/ "Even Homer nods" (no, not *that* Homer :-) poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 09:59:00PM +0100, Patrick O'Callaghan wrote: > On Wed, 2013-07-17 at 16:18 +0200, Suvayu Ali wrote: > > On Wed, Jul 17, 2013 at 03:59:35PM +0200, Timothy Murphy wrote: > > > I'm tired of saying "sudo less /var/log/maillog" or "messages". > > > > For /var/log/messages you could use `dmesg -T | less +G' instead. > > > > Hope this helps, > > That's not quite the same thing, at least on my system. Yes you are right. It shows only hardware events I think. PS: I guess I'm not thinking straight today. This thread has plenty of evidence to that. :-/ -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, 2013-07-17 at 16:18 +0200, Suvayu Ali wrote: > On Wed, Jul 17, 2013 at 03:59:35PM +0200, Timothy Murphy wrote: > > I'm tired of saying "sudo less /var/log/maillog" or "messages". > > For /var/log/messages you could use `dmesg -T | less +G' instead. > > Hope this helps, That's not quite the same thing, at least on my system. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 12:57:02PM -0400, Matthew Miller wrote: > On Wed, Jul 17, 2013 at 06:02:47PM +0200, Suvayu Ali wrote: > > > Note that if you're using the systemd journal (and you are, in recent > > > Fedora, including persistent logging to disk with F19), adding yourself to > > > the 'systemd-journal' group will allow you to see system logs with > > > 'journalctl'. > > This doesn't seem to work. > > $ journalctl > > Unprivileged users cannot access messages, unless persistent log storage > > is > > enabled. Users in the 'systemd-journal' group may always access messages. > > $ groups jallad > > jallad : jallad mock systemd-journal > > $ whoami > > jallad > > Any thoughts? > > Type "groups" without your username to show your _current_ groups -- > remember that adding yourself to a group doesn't take effect until you start > a new session. (E.g. by logging out and in again.) That must be it. I did not relogin after adding myself to the group. I have lots of important sessions that I do not want to close now. However I tried this on my server, everything works after relogin. Thanks! -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 12:24 PM, Reindl Harald wrote: Am 17.07.2013 21:15, schrieb Joe Zeff: I'm the only person who ever uses my laptop. If I wanted, then, I could use this to make /var/log/messages world readable for convenience. No, I'm not going to do it because unless I do it to all of my machines it's too confusing to remember which ones I've done it to and which I haven't, and I don't think it's a good idea in general. (If nothing else, needing root access to read that file reminds you that what you're doing is "admin stuff," not normal user things.) this is a very very bad reminder because you do not all day long "cat /var/log/messages" Of course. As long as all goes well, I have no reason to look at it, on any computer, and that's another reason I'm not planning on doing it. BTW, I got this as a CC of the reply you sent to the list. I'm adding the list itself as a recipient of my reply so that I don't have to remember to reply again when this shows up on the list. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 11:18 AM, Reindl Harald wrote:
i did: "otherwise my /var/log/maillog on my workstation would not have 644"
this is "logrotaded" - logrotate keeps the permissions/owner/group if
not specified like below (which is my own config-piece)
/var/log/scriptlog {
missingok
notifempty
size 30k
create 0644 root root
}
I'm the only person who ever uses my laptop. If I wanted, then, I could
use this to make /var/log/messages world readable for convenience. No,
I'm not going to do it because unless I do it to all of my machines it's
too confusing to remember which ones I've done it to and which I
haven't, and I don't think it's a good idea in general. (If nothing
else, needing root access to read that file reminds you that what you're
doing is "admin stuff," not normal user things.)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 10:29 AM, Chris Adams wrote: Once upon a time, Timothy Murphy said: Will it cause any problems if I change the permissions on these files? Nope, been doing it for years. so have I. Never been a surprise or problem -- Roger Wells, P.E. SAIC 221 Third St Newport, RI 02840 401-847-4210 (voice) 401-849-1585 (fax) roger.k.we...@saic.com -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Am 17.07.2013 20:08, schrieb Rick Stevens:
> On 07/17/2013 08:36 AM, Reindl Harald issued this missive:
>> *no they are not*
>> otherwise my /var/log/maillog on my workstation would not have 644
>
> The correct thing to say is "if syslog(whatever) has to CREATE the file,
> it will not have world-readable set. Once the file is created, syslog*
> won't change the permissions
that's the detail
> I can't speak to what logrotate will do to them, however.
i did: "otherwise my /var/log/maillog on my workstation would not have 644"
this is "logrotaded" - logrotate keeps the permissions/owner/group if
not specified like below (which is my own config-piece)
/var/log/scriptlog {
missingok
notifempty
size 30k
create 0644 root root
}
take a look at the files in /etc/logrotate.d/ and you can see
what happens to every single file at rotate
>>> AFAIU, the reason the logs are owned by root is because it is written by
>>> syslog (which runs as root). The motivation I think is, the logs should
>>> remain untampered if your system is compromised
>>
>> how does chmod 644 affect *write* permissions?
>
> It is not who writes to it that sets the permissions and ownership,
> it's who creates the file in the first place
i referred to "logs should remain untampered if your system is compromised"
> It is created by a
> root process (syslog-whatever) and most of them have 600 permissions
> (rw---). You can change it later if you so wish, but there are
> security issues if you give them world-readable (xx4) permissions
surely, but that is a different topic and depens on the usecase of the machine
signature.asc
Description: OpenPGP digital signature
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 08:36 AM, Reindl Harald issued this missive: Am 17.07.2013 16:46, schrieb Suvayu Ali: On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote: On 07/17/13 22:27, Timothy Murphy wrote: Ed Greshko wrote: Heck, you could always make your sudo password less and you could always assign the frequently used commands aliases. I guess my question should have been: Will it cause any problems if I change the permissions on these files? Is there any program that won't work if you do this, as is true eg of some .ssh and pki files? But why bother? You can't be assured that some update or process won't go about changing them back on you. Then, you'll be scratching your head again. Does the cron job to roll log files reset things? Don't know...and I don't want to care. I prefer solutions that don't require changing things over which you don't or may not have absolute control. Your permission changes will be overwritten the moment a daemon sends a message to syslog *no they are not* otherwise my /var/log/maillog on my workstation would not have 644 The correct thing to say is "if syslog(whatever) has to CREATE the file, it will not have world-readable set. Once the file is created, syslog* won't change the permissions. I can't speak to what logrotate will do to them, however. AFAIU, the reason the logs are owned by root is because it is written by syslog (which runs as root). The motivation I think is, the logs should remain untampered if your system is compromised how does chmod 644 affect *write* permissions? It is not who writes to it that sets the permissions and ownership, it's who creates the file in the first place. It is created by a root process (syslog-whatever) and most of them have 600 permissions (rw---). You can change it later if you so wish, but there are security issues if you give them world-readable (xx4) permissions. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - Do you know how to save five drowning lawyers? No? GOOD!- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Am 17.07.2013 15:59, schrieb Timothy Murphy: > I'm tired of saying "sudo less /var/log/maillog" or "messages". > Is there any non-paranoiac reason for not making /var/log/ files > readable say by wheel? chown/chgrp/chmod exists [harry@rh:~]$ ls /var/log/maillog -rw-r--r-- 1 root root 7,1K 2013-07-17 10:05 /var/log/maillog signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Am 17.07.2013 16:46, schrieb Suvayu Ali: > On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote: >> On 07/17/13 22:27, Timothy Murphy wrote: >>> Ed Greshko wrote: Heck, you could always make your sudo password less and you could always assign the frequently used commands aliases. >>> I guess my question should have been: >>> Will it cause any problems if I change the permissions on these files? >>> Is there any program that won't work if you do this, >>> as is true eg of some .ssh and pki files? >>> >> But why bother? You can't be assured that some update or process won't go >> about changing them back on you. Then, you'll be scratching your head >> again. >> >> Does the cron job to roll log files reset things? Don't know...and I don't >> want to care. >> >> I prefer solutions that don't require changing things over which you don't >> or may not have absolute control. > > Your permission changes will be overwritten the moment a daemon sends a > message to syslog *no they are not* otherwise my /var/log/maillog on my workstation would not have 644 > AFAIU, the reason the logs are owned by root is because it is written by > syslog (which runs as root). The motivation I think is, the logs should > remain untampered if your system is compromised how does chmod 644 affect *write* permissions? signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 09:57 AM, Matthew Miller issued this missive: On Wed, Jul 17, 2013 at 09:44:41AM -0700, Rick Stevens wrote: The reason the files are, by default, NOT world-readable is simply one of security. Many programs (if using verbose logging) may expose security-related items in plaintext in the log files (usernames, passwords, GPG keys, etc.). Having the files readable by anyone allows any lurker to find these things very easily. Many programs warn about this issue in their man pages. Thretically, such messages should use the authpriv facility and thus be put into /var/log/secure. I concur, but many, MANY programs just log to syslogd and that's where the gotchas come from. To obviate those issues, non-world-readable is a rather simplistic but somewhat effective "fix". -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - If at first you don't succeed, quit. No sense being a damned fool! - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 09:44:41AM -0700, Rick Stevens wrote: > The reason the files are, by default, NOT world-readable is simply one > of security. Many programs (if using verbose logging) may expose > security-related items in plaintext in the log files (usernames, > passwords, GPG keys, etc.). Having the files readable by anyone allows > any lurker to find these things very easily. Many programs warn about > this issue in their man pages. Thretically, such messages should use the authpriv facility and thus be put into /var/log/secure. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 06:02:47PM +0200, Suvayu Ali wrote: > > Note that if you're using the systemd journal (and you are, in recent > > Fedora, including persistent logging to disk with F19), adding yourself to > > the 'systemd-journal' group will allow you to see system logs with > > 'journalctl'. > This doesn't seem to work. > $ journalctl > Unprivileged users cannot access messages, unless persistent log storage is > enabled. Users in the 'systemd-journal' group may always access messages. > $ groups jallad > jallad : jallad mock systemd-journal > $ whoami > jallad > Any thoughts? Type "groups" without your username to show your _current_ groups -- remember that adding yourself to a group doesn't take effect until you start a new session. (E.g. by logging out and in again.) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 06:59 AM, Timothy Murphy issued this missive: I'm tired of saying "sudo less /var/log/maillog" or "messages". Is there any non-paranoiac reason for not making /var/log/ files readable say by wheel? The consensus seems to be that it's OK to change the permissions and I agree. Making the files world-readable should be possible except in some extreme cases. The reason the files are, by default, NOT world-readable is simply one of security. Many programs (if using verbose logging) may expose security-related items in plaintext in the log files (usernames, passwords, GPG keys, etc.). Having the files readable by anyone allows any lurker to find these things very easily. Many programs warn about this issue in their man pages. For example, using "wget http://username:passw...@somesite.com"; or "wget --user=user --password=password http://somesite.com"; may log that to a logger program (e.g. if you have bash logging enabled) and the credentials are blatantly obvious in a "ps" listing. That's just my opinion. But then again, I run a PCI-compliant shop. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - "The bogosity meter just pegged."- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 11:21:20AM -0400, Matthew Miller wrote: > > Note that if you're using the systemd journal (and you are, in recent > Fedora, including persistent logging to disk with F19), adding yourself to > the 'systemd-journal' group will allow you to see system logs with > 'journalctl'. This doesn't seem to work. $ journalctl Unprivileged users cannot access messages, unless persistent log storage is enabled. Users in the 'systemd-journal' group may always access messages. $ groups jallad jallad : jallad mock systemd-journal $ whoami jallad Any thoughts? -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 09:47 AM, Suvayu Ali wrote: > On Wed, Jul 17, 2013 at 09:29:04AM -0500, Chris Adams wrote: >> Once upon a time, Timothy Murphy said: >>> Will it cause any problems if I change the permissions on these files? >> >> Nope, been doing it for years. > > I thought changing the permission on /var/log/messages will cause > problems with syslog, no? > I changed it to -rw-r-. 1 root wheel 3026870 Jul 17 10:27 /var/log/messages We'll see what happens on Sunday morning. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Once upon a time, Bryn M. Reeves said: > I'm trying to help Suvayu understand what he's getting confused over. > Conflicts between logrotate and manual changes are certainly more likely > than "something bad happened to syslog". There are only a few logrotate.d config files that set permissions and ownership, and they are mostly logs you aren't liable to be changing. The normal syslog-written files, such as /var/log/messages, don't have overrides and won't be a problem. -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 03:59:35PM +0200, Timothy Murphy wrote: > I'm tired of saying "sudo less /var/log/maillog" or "messages". > Is there any non-paranoiac reason for not making /var/log/ files > readable say by wheel? I think it's reasonable for /var/log/secure to require an extra level of authentication, but for /var/log/messages to be readable by wheel. It's one of the first things I do in deploying a system of my own. Note that if you're using the systemd journal (and you are, in recent Fedora, including persistent logging to disk with F19), adding yourself to the 'systemd-journal' group will allow you to see system logs with 'journalctl'. (I had argued that this should just be 'wheel', but there we are.) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 10:01:59AM -0500, Chris Adams wrote: > Once upon a time, Bryn M. Reeves said: > > On 07/17/2013 03:47 PM, Suvayu Ali wrote: > > > I thought changing the permission on /var/log/messages will cause > > > problems with syslog, no? > > > > Maybe you are thinking of logrotate? If you make changes by hand these > > will be undone when the logs are rotated if the configuration differs > > from the file system. > > Again, nope, at least for common log files. logrotate copies the > current ownership/permissions to the new files, unless otherwise > configured (and only a few files have that set in the default config; > they probably shouldn't either). Okay, I think I got confused somehow; learned something. :) Cheers, -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 04:01 PM, Chris Adams wrote: > Again, nope, at least for common log files. logrotate copies the > current ownership/permissions to the new files, unless otherwise > configured (and only a few files have that set in the default config; > they probably shouldn't either). *if the configuration differs from the file system.* I'm trying to help Suvayu understand what he's getting confused over. Conflicts between logrotate and manual changes are certainly more likely than "something bad happened to syslog". If you're unaware of the permissions control in the logrotate files it's also somewhat mysterious to track down (I see many admins today who don't even realise that it exists). Bryn. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Once upon a time, Bryn M. Reeves said: > On 07/17/2013 03:47 PM, Suvayu Ali wrote: > > I thought changing the permission on /var/log/messages will cause > > problems with syslog, no? > > Maybe you are thinking of logrotate? If you make changes by hand these > will be undone when the logs are rotated if the configuration differs > from the file system. Again, nope, at least for common log files. logrotate copies the current ownership/permissions to the new files, unless otherwise configured (and only a few files have that set in the default config; they probably shouldn't either). -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Once upon a time, Suvayu Ali said: > Your permission changes will be overwritten the moment a daemon sends a > message to syslog. No, they won't. Where did you get that idea? The syslog/rsyslog daemon runs as root and can write to the file, no matter the permissions. It doesn't ever change permissions/ownership. > AFAIU, the reason the logs are owned by root is because it is written by > syslog (which runs as root). The motivation I think is, the logs should > remain untampered if your system is compromised. Say a regular user is > compromised, the logs are still intact and you can probably investigate > what went wrong since you still trust the logs. Of course this > reasoning becomes moot the moment your root account is compromised. The OP asked about making the logs readable by group wheel, not writable. -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/2013 03:47 PM, Suvayu Ali wrote:
> On Wed, Jul 17, 2013 at 09:29:04AM -0500, Chris Adams wrote:
>> Once upon a time, Timothy Murphy said:
>>> Will it cause any problems if I change the permissions on these files?
>>
>> Nope, been doing it for years.
>
> I thought changing the permission on /var/log/messages will cause
> problems with syslog, no?
Maybe you are thinking of logrotate? If you make changes by hand these
will be undone when the logs are rotated if the configuration differs
from the file system.
You can solve this by setting the permissions and ownership in the
relevant logrotate.{conf,d/} file.
Alternately you can use ACLs on the log files to open up access to
specific users and groups. Recent (>F14) logrotates should preserve ACLs
when rotating files (bz#77).
Regards,
Bryn.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Once upon a time, Suvayu Ali said: > On Wed, Jul 17, 2013 at 09:29:04AM -0500, Chris Adams wrote: > > Once upon a time, Timothy Murphy said: > > > Will it cause any problems if I change the permissions on these files? > > > > Nope, been doing it for years. > > I thought changing the permission on /var/log/messages will cause > problems with syslog, no? No, it doesn't. Don't know why you think it would. -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Hi Timothy, On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote: > On 07/17/13 22:27, Timothy Murphy wrote: > > Ed Greshko wrote: > > > >> Heck, you could always make your sudo password less and you could always > >> assign the frequently used commands aliases. > > I guess my question should have been: > > Will it cause any problems if I change the permissions on these files? > > Is there any program that won't work if you do this, > > as is true eg of some .ssh and pki files? > > > > But why bother? You can't be assured that some update or process won't go > about changing them back on you. Then, you'll be scratching your head again. > > Does the cron job to roll log files reset things? Don't know...and I don't > want to care. > > I prefer solutions that don't require changing things over which you don't or > may not have absolute control. Your permission changes will be overwritten the moment a daemon sends a message to syslog. AFAIU, the reason the logs are owned by root is because it is written by syslog (which runs as root). The motivation I think is, the logs should remain untampered if your system is compromised. Say a regular user is compromised, the logs are still intact and you can probably investigate what went wrong since you still trust the logs. Of course this reasoning becomes moot the moment your root account is compromised. Security and convenience has a very small overlap, finding that balance is a hard problem. :) Hope this helps, -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 09:29:04AM -0500, Chris Adams wrote: > Once upon a time, Timothy Murphy said: > > Will it cause any problems if I change the permissions on these files? > > Nope, been doing it for years. I thought changing the permission on /var/log/messages will cause problems with syslog, no? -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/13 22:27, Timothy Murphy wrote: > Ed Greshko wrote: > >> Heck, you could always make your sudo password less and you could always >> assign the frequently used commands aliases. > I guess my question should have been: > Will it cause any problems if I change the permissions on these files? > Is there any program that won't work if you do this, > as is true eg of some .ssh and pki files? > But why bother? You can't be assured that some update or process won't go about changing them back on you. Then, you'll be scratching your head again. Does the cron job to roll log files reset things? Don't know...and I don't want to care. I prefer solutions that don't require changing things over which you don't or may not have absolute control. -- The only thing worse than a poorly asked question is a cryptic answer. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Once upon a time, Timothy Murphy said: > Will it cause any problems if I change the permissions on these files? Nope, been doing it for years. -- Chris Adams -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
Ed Greshko wrote: > Heck, you could always make your sudo password less and you could always > assign the frequently used commands aliases. I guess my question should have been: Will it cause any problems if I change the permissions on these files? Is there any program that won't work if you do this, as is true eg of some .ssh and pki files? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 School of Mathematics, Trinity College, Dublin 2, Ireland -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On Wed, Jul 17, 2013 at 03:59:35PM +0200, Timothy Murphy wrote: > I'm tired of saying "sudo less /var/log/maillog" or "messages". For /var/log/messages you could use `dmesg -T | less +G' instead. Hope this helps, -- Suvayu Open source is the future. It sets us free. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Permissions on /var/log/ files
On 07/17/13 21:59, Timothy Murphy wrote: > I'm tired of saying "sudo less /var/log/maillog" or "messages". > Is there any non-paranoiac reason for not making /var/log/ files > readable say by wheel? > > Heck, you could always make your sudo password less and you could always assign the frequently used commands aliases. -- The only thing worse than a poorly asked question is a cryptic answer. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Permissions on /var/log/ files
I'm tired of saying "sudo less /var/log/maillog" or "messages". Is there any non-paranoiac reason for not making /var/log/ files readable say by wheel? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 School of Mathematics, Trinity College, Dublin 2, Ireland -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
