Re: Permissions on /var/log/ files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/17/2013 08:36 AM, Reindl Harald issued this missive:



Am 17.07.2013 16:46, schrieb Suvayu Ali:

On Wed, Jul 17, 2013 at 10:35:46PM +0800, Ed Greshko wrote:

On 07/17/13 22:27, Timothy Murphy wrote:

Ed Greshko wrote:

Heck, you could always make your sudo password less and you could always
assign the frequently used commands aliases.

I guess my question should have been:
Will it cause any problems if I change the permissions on these files?
Is there any program that won't work if you do this,
as is true eg of some .ssh and pki files?


But why bother?  You can't be assured that some update or process won't go about changing them back on you.  Then, you'll be scratching your head again.

Does the cron job to roll log files reset things?  Don't know...and I don't want to care.

I prefer solutions that don't require changing things over which you don't or may not have absolute control.


Your permission changes will be overwritten the moment a daemon sends a
message to syslog


*no they are not*
otherwise my /var/log/maillog on my workstation would not have 644


The correct thing to say is "if syslog(whatever) has to CREATE the file,
it will not have world-readable set. Once the file is created, syslog*
won't change the permissions. I can't speak to what logrotate will do
to them, however.


AFAIU, the reason the logs are owned by root is because it is written by
syslog (which runs as root).  The motivation I think is, the logs should
remain untampered if your system is compromised


how does chmod 644 affect *write* permissions?


It is not who writes to it that sets the permissions and ownership,
it's who creates the file in the first place. It is created by a
root process (syslog-whatever) and most of them have 600 permissions
(rw-------). You can change it later if you so wish, but there are
security issues if you give them world-readable (xx4) permissions.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      Do you know how to save five drowning lawyers?  No?  GOOD!    -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux