DevHeads.net

read permission on rotated logs

When logs (e.g. /var/log/maillog) are rotated (e.g. to
/var/log/maillog-YYYYMDD) is there a way via systemd or whatever to
assign read permission to a specific group?

Right now, for example -

ls -l maillog*
-rw------- 1 root root 3105240 Mar 13 22:04 maillog
-rw------- 1 root root 1079031 Feb 24 04:39 maillog-20190224
-rw------- 1 root root 7237640 Mar 1 12:59 maillog-20190228
-rw------- 1 root root 1297508 Mar 3 04:21 maillog-20190303
-rw------- 1 root root 1319371 Mar 10 08:17 maillog-20190310

What I would like -

ls -l maillog*
-rw------- 1 root root 3105240 Mar 13 22:04 maillog
-rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
-rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228
-rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303
-rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

That way a user in somegroup could run a script that analyzes the
rotated logs w/o needing root privileges.

Obviously I could put a script in /etc/cron.hourly that looks for
rotated log files and changes ownership / permission, but I am wondering
if there is a "proper" way to configure it via systemd or another utility.

Comments

read permission on rotated logs

By Leroy Tennison at 03/14/2019 - 11:45

Maybe I'm missing something here but doesn't logrotate have the 'postrotate ... endscript' block for its configuration files where you can run any command you desire?

Leroy Tennison
Network Information/Cyber Security Specialist
E: <a href="mailto: ... at datavoiceint dot com"> ... at datavoiceint dot com</a>
2220 Bush Dr
McKinney, Texas
75070
<a href="http://www.datavoiceint.com" title="www.datavoiceint.com">www.datavoiceint.com</a>
This message has been sent on behalf
of a company that is part of the Harris Operating Group of
Constellation Software Inc. These companies are listed
here
.
If you prefer not to be contacted by Harris
Operating Group
please notify us
.
This message is intended exclusively for the
individual or entity to which it is addressed. This communication
may contain information that is proprietary, privileged or
confidential or otherwise legally exempt from disclosure. If you are
not the named addressee, you are not authorized to read, print,
retain, copy or disseminate this message or any part of it. If you
have received this message in error, please notify the sender
immediately by e-mail and delete all copies of the
message.

When logs (e.g. /var/log/maillog) are rotated (e.g. to
/var/log/maillog-YYYYMDD) is there a way via systemd or whatever to
assign read permission to a specific group?

Right now, for example -

ls -l maillog*
-rw------- 1 root root 3105240 Mar 13 22:04 maillog
-rw------- 1 root root 1079031 Feb 24 04:39 maillog-20190224
-rw------- 1 root root 7237640 Mar 1 12:59 maillog-20190228
-rw------- 1 root root 1297508 Mar 3 04:21 maillog-20190303
-rw------- 1 root root 1319371 Mar 10 08:17 maillog-20190310

What I would like -

ls -l maillog*
-rw------- 1 root root 3105240 Mar 13 22:04 maillog
-rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
-rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228
-rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303
-rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

That way a user in somegroup could run a script that analyzes the
rotated logs w/o needing root privileges.

Obviously I could put a script in /etc/cron.hourly that looks for
rotated log files and changes ownership / permission, but I am wondering
if there is a "proper" way to configure it via systemd or another utility.

Re: read permission on rotated logs

By Pete Biggs at 03/14/2019 - 11:52

On Thu, 2019-03-14 at 15:45 +0000, Leroy Tennison wrote:
The problem is knowing the name that the logfile has just been rotated
to. The script is only passed the name of the logfile itself and I
don't think the name can be accurately constructed from that.

That's why I said some combination of pre- and post- rotate. Something
like in the prerotate section change the ownership and permissions,
then when it's rotated it should be correct. The create command can
then be used to make sure the newly created logfile has the correct
ownership/permission.

P.

Re: read permission on rotated logs

By Mogens Kjaer at 03/14/2019 - 06:51

On 3/13/19 11:13 PM, Alice Wonder wrote:
Add the following line to /etc/logrotate.d/syslog, e.g. after sharedscripts:

create 640 root somegroup

Re: read permission on rotated logs

By Pete Biggs at 03/14/2019 - 07:13

On Thu, 2019-03-14 at 11:51 +0100, Mogens Kjaer wrote:
I thought the create command created the new log with those permissions
not changed the owner/permission of the rotated logs. Alice said she
would like:

-rw------- 1 root root 3105240 Mar 13 22:04 maillog
-rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
-rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228
-rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303
-rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

P.

Re: read permission on rotated logs

By Pete Biggs at 03/13/2019 - 19:25

On Wed, 2019-03-13 at 15:13 -0700, Alice Wonder wrote:
It's logrotate that does it.

You may want to look at the 'prerotate' and 'postrotate' sections of
the logrotate config files - I'm sure you should be able concoct
something that will do what you want.

P.