-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus Meissner schrieb:
On Mon, Jul 04, 2005 at 06:20:24PM +0200, Sven 'Darkman' Michels wrote:
Hi there,
i noticed a "small" problem with logrotate (at least on SLES9): we've very restrictive rights for all our logfiles cause many of them contain sensitive informations. So we use 'create 0600 user group' to protect our logs. Now the problem: a rotated logfile (gzipped) has 644 and root.root permissions instead of the 'secure' ones. So we've a small security problem here. One way to fix this would be a postrotate script to fix the permissions, but is this really the way? I think if i use special permissions for my logs, they should applyed to the archives, too.
Did i miss something in the manpage(s) or is this the normal behavior? (didn't yet take a look into the source due to lack of time...)
A fix for this will be released with SLES 9 Service Pack 2 ... release very likely within the next week.
Ciao, Marcus
Isn't there a way over /etc/permissions.*? Other way is to do the following _without_ prerotate or postrotate: /etc/logrotate.d/xyz-service /var/log/xyz-log { [...] create 0600 user group rotate 1 [...] } Somehow this behaviour (chmod 0600 for logfiles) is default within debian 3.x ;) Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQsqxbUNg1DRVIGjBAQIruAb/Su3Ha+Ls3CWl4T+t1n8GTH9kl3483tlU 6oM7sLg1iROKyX6nqKsgGspXXxNS2l8LZ1pALEYZ3rV6KvmEyRlfvO8gJVxOHojm 32HZZBg39q+Y0s5kLlaDeeK8skSRGskacAr2zX3Sb1UmP4OBuX1VjiMXh9fbg6Xt eL7U43gKF0uD+wJEaiQIT/YdZEGivsJsvtO9ag0QtWOBv+oZ6BHkx5mxmUFq0CJF dNxai82Z/Few3B6vPgQUse0G1AWKeaDZB5itMtrkyVlU3NZLmCT7Dz5IAoMH/t0S uqLbXt+81GI= =rGCM -----END PGP SIGNATURE-----