Allow access to /var/log/syslog to a specific user

Fulgurance · Veteran Joined: 15 Feb 2017 Posts: 1199

Hello, today I try to found a way to allow person in wheel group to have access to the /var/log/syslog file. Where can I configure that and how ? I seen few configurations files for sysklogd, but I didn't found how to do that

Hu · Moderator Joined: 06 Mar 2007 Posts: 21607

What type of access are you trying to provide?

Read the file with less, and no more access than that.
Read the file with arbitrary tools of the user's choosing.
Modify the file, like root can.

For the first, an appropriately strict sudo entry might suffice. For the second, you may want to give the file ownership/permissions that allow the user to read it from his own uid.

Fulgurance · Veteran Joined: 15 Feb 2017 Posts: 1199

I just need read access. But I want to do that via allow wheel group to access to it. Is there any configuration file for syslog like for audit log file. Because for audit.log, there is a configuration file where I can set the wheel group (for example ) to be able to read the audit log file. I done that to allow my main user to read logs file and give able to ksyslog to read logs files

madmin · n00b Joined: 04 Nov 2018 Posts: 26

Hey,

The exact way to achieve that will depend on your syslog implementation.

Here I use syslog-ng (because I like it

and for that one, there's a "group" directive to add in:
- "options" section for global settings
- "destination" to override global settings

Rsyslog shall allow you same granularity, at least you can configure that group in "omfile" output module.

Fulgurance · Veteran Joined: 15 Feb 2017 Posts: 1199

I have sysklogd

pingtoo · Posted: Sun Sep 04, 2022 1:55 pm Post subject:

What about simply set permission to allow *wheel* group user read access?

Fulgurance · Veteran Joined: 15 Feb 2017 Posts: 1199

I can use this way yes, but I prefer to set via the syslog configuration, I'm sure it's possible

pietinger · Posted: Sun Sep 04, 2022 6:20 pm Post subject:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3131

You can set ACL on a logfile to grant additional access.
Check out setfacl / getfacl if you're interested in this approach. Basically you can define additional users and groups who should have access rights. Primary user and group in this case act as a mask for ACL, so the additional users and groups can't have access rights the primary user and group don't have.

It is possible to define default ACLs on a directory, so any file created inside of that directory will have those ACLs applied automagically.

Also, AFAIR wheel group grants access to su. Does it have other purpose than tagging users who should be able to escalate permissions?

Fulgurance · Veteran Joined: 15 Feb 2017 Posts: 1199

Thanks you very much all for your help and advices

Ralphred · Guru Joined: 31 Dec 2013 Posts: 495

Have you tried using start-stop-daemon's --group switch to see if the files get written with root:wheel perms?
If that works you can o-r /var/log and it would be as described.

Princess Nell · l33t Joined: 15 Apr 2005 Posts: 916

I would stay away from permissions changes altogether as they may have unintended consequences. Best encapsulation I can think of right now is via sudo, i.e. specifically allow user foo or group bar to cat/more/less the log file in question.