[opensuse-factory] inconsitent logfile permissions, logrotate
Hi, today I've noticed inconsistencies with logfile permissions and logrotate which leads me to think about a feature request. For example /var/log/localmessages seems to be created at installation time with 0644 root:root But the first log rotation changed this to 0640 and my users complained about that. The permission change is caused by /etc/logrotate.d/syslog: .... /var/log/warn /var/log/messages /var/log/allmessages /var/log/localmessages /var/log/firewall /var/log/acpid /var/log/NetworkManager { [...] create 640 root root [...] } So there are at least two places where these permissions are defined, one at installation time and the other in /etc/logrotate* Since "man logrotate" says: create mode owner group [...] Any of the log file attributes may be omitted, in which case those attributes for the new file will use the same values as the original log file for the omitted attributes. I would suggest to change logrotate config from "create 640 root root" to just "create" and to track these logfiles within /etc/permissions* too. This would make things more generic, simple and consistent. What do you think? cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Ruediger Meier wrote:
I would suggest to change logrotate config from "create 640 root root" to just "create" and to track these logfiles within /etc/permissions* too.
This would make things more generic, simple and consistent. What do you think?
The syslog daemon just needs to create the file with proper permissions in the first place. Involving /etc/permissions shouldn't be needed. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 01 August 2011, Ludwig Nussel wrote:
Ruediger Meier wrote:
I would suggest to change logrotate config from "create 640 root root" to just "create" and to track these logfiles within /etc/permissions* too.
This would make things more generic, simple and consistent. What do you think?
The syslog daemon just needs to create the file with proper permissions in the first place. Involving /etc/permissions shouldn't be needed.
Yes, but IMO these permissions shouldn't be "hardcoded" defined in /etc/logrotate.d/ This is inconsistent because the first creation after installation is not managed by logrotate. I've mentioned two independent things to do: 1. To fix the inconsistency it would be enough to remove the mode/owner/group attributes from logrotate's create statements. In this case it will just use the permissions of the old rotated log file which should have the right permissions already. (This is a documented feature of logrotate). 2. Involving /etc/permissions is not needed but would be nice for the user to override default logfile permissions resistant over RPM updates or (de)install. Furthermore you could see these permissions at one place instead of several rpmspecs, postinstall scripts or wherever these log files are created at the first time. And also would be nice to have different log file permissions defined for the levels easy/secure/paranoid. Point 1. would just solve a bug. Point 2. is a nice feature which requires 1. to be solved. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 01 August 2011, Ruediger Meier wrote:
1. To fix the inconsistency it would be enough to remove the mode/owner/group attributes from logrotate's create statements. [...] 2. Involving /etc/permissions is not needed but would be nice for the user to override default logfile permissions resistant over RPM updates or (de)install. [...]
Hm, this doesn't seem to be interesting for anybody. Do you think it would get more attention on openFate? If not then I'll just fix it for myself and report the bug. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (3)
-
Ludwig Nussel
-
Ruediger Meier
-
Rüdiger Meier