View previous topic :: View next topic |
Author |
Message |
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1199
|
Posted: Fri Sep 02, 2022 11:29 am Post subject: Allow access to /var/log/syslog to a specific user |
|
|
Hello, today I try to found a way to allow person in wheel group to have access to the /var/log/syslog file. Where can I configure that and how ? I seen few configurations files for sysklogd, but I didn't found how to do that |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Fri Sep 02, 2022 1:51 pm Post subject: |
|
|
What type of access are you trying to provide?- Read the file with less, and no more access than that.
- Read the file with arbitrary tools of the user's choosing.
- Modify the file, like root can.
For the first, an appropriately strict sudo entry might suffice. For the second, you may want to give the file ownership/permissions that allow the user to read it from his own uid. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1199
|
Posted: Fri Sep 02, 2022 9:41 pm Post subject: |
|
|
I just need read access. But I want to do that via allow wheel group to access to it. Is there any configuration file for syslog like for audit log file. Because for audit.log, there is a configuration file where I can set the wheel group (for example ) to be able to read the audit log file. I done that to allow my main user to read logs file and give able to ksyslog to read logs files |
|
Back to top |
|
|
madmin n00b
Joined: 04 Nov 2018 Posts: 26
|
Posted: Sat Sep 03, 2022 6:25 am Post subject: |
|
|
Hey,
The exact way to achieve that will depend on your syslog implementation.
Here I use syslog-ng (because I like it and for that one, there's a "group" directive to add in:
- "options" section for global settings
- "destination" to override global settings
Rsyslog shall allow you same granularity, at least you can configure that group in "omfile" output module. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1199
|
Posted: Sun Sep 04, 2022 1:22 pm Post subject: |
|
|
I have sysklogd |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 920 Location: Richmond Hill, Canada
|
Posted: Sun Sep 04, 2022 1:55 pm Post subject: |
|
|
What about simply set permission to allow *wheel* group user read access? Code: | chgrp wheel /var/log/syslog
chmod g+r /var/log/syslog |
|
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1199
|
Posted: Sun Sep 04, 2022 5:36 pm Post subject: |
|
|
I can use this way yes, but I prefer to set via the syslog configuration, I'm sure it's possible |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4130 Location: Bavaria
|
Posted: Sun Sep 04, 2022 6:20 pm Post subject: |
|
|
Fulgurance wrote: | I'm sure it's possible |
AFAIK no. You can filter all kernel messages and direct them to a file you like, but THIS file you have to give the correct permissions by yourself.
(The only thing with users syslogd also can do is: Giving some messages to a terminal of a (logged in) User; see more "man syslogd.conf".) |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3131
|
Posted: Sun Sep 04, 2022 7:21 pm Post subject: |
|
|
You can set ACL on a logfile to grant additional access.
Check out setfacl / getfacl if you're interested in this approach. Basically you can define additional users and groups who should have access rights. Primary user and group in this case act as a mask for ACL, so the additional users and groups can't have access rights the primary user and group don't have.
It is possible to define default ACLs on a directory, so any file created inside of that directory will have those ACLs applied automagically.
Also, AFAIR wheel group grants access to su. Does it have other purpose than tagging users who should be able to escalate permissions? |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1199
|
Posted: Mon Sep 05, 2022 5:52 am Post subject: |
|
|
Thanks you very much all for your help and advices |
|
Back to top |
|
|
Ralphred Guru
Joined: 31 Dec 2013 Posts: 495
|
Posted: Mon Sep 05, 2022 8:40 am Post subject: |
|
|
Have you tried using start-stop-daemon's --group switch to see if the files get written with root:wheel perms?
If that works you can o-r /var/log and it would be as described. |
|
Back to top |
|
|
Princess Nell l33t
Joined: 15 Apr 2005 Posts: 916
|
Posted: Mon Oct 17, 2022 9:22 pm Post subject: |
|
|
I would stay away from permissions changes altogether as they may have unintended consequences. Best encapsulation I can think of right now is via sudo, i.e. specifically allow user foo or group bar to cat/more/less the log file in question. |
|
Back to top |
|
|
|