From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Mon, 16 Mar 2009 06:31:41 +0200 From: Alex Efros To: 9fans@9fans.net Message-ID: <20090316043140.GB2753@home.power> References: <948781140903151935y51e45cedl6ab826ee9c68b115@mail.gmail.com> <7837ef4f0a0c4327b9302be24e2a1fa2@quanstro.net> <13426df10903152018l71106308oc6ca777863aed2ce@mail.gmail.com> <3aaafc130903152055wf530678jde8d61aac045fb7@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3aaafc130903152055wf530678jde8d61aac045fb7@mail.gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Subject: Re: [9fans] log oversight Topicbox-Message-UUID: bc45ac7e-ead4-11e9-9d60-3106f5b1d025 Hi! On Sun, Mar 15, 2009 at 11:55:39PM -0400, J.R. Mauro wrote: > > logs on unix are writeable by everyone: > > [rminnich@Panzer ~]$ logger -p kern.err "JUNK" > > [rminnich@Panzer ~]$ sudo tail -f /var/log/messages > This didn't work on my linux box. I actually have: > % ls -l /var/log/messages > -rw------- 1 root root 960355 2009-03-15 23:51 /var/log/messages [OT] Actually, logger works using /dev/log: # ls -l /dev/log srwxrwxrwx 1 root root 0 Мар 13 18:55 /dev/log After chmod 0700 /dev/log users will not be able to use logger anymore. I usually have all services output logs to stdout (or fifo) and pipe them to special logging tools like multilog or svlogd, which in turn run as user 'log' and all these logs have permissions like: # ls -ld /var/log/apache2/access{,/current} drwxr-s--- 2 log root 4096 Mar 15 03:55 /var/log/apache2/access -rw-r--r-- 1 log root 688994 Mar 16 06:11 /var/log/apache2/access/current So, 'logs on unix' are very configurable and it's not correct to say they are 'writeable by everyone'. There even no such thing as 'out of box' setup in unix because it not designed to work 'out of box' and expect some manual configuration first, :) also, for example, in linux there too many distributions with different 'out of box' configurations - apache logs configuration shown above is my 'out of box' configuration installed automatically while installing Gentoo on new server using my portage overlay. [/OT] Back to original question - I think append only is 'good, but not enough' for logs: adding fake records may hurt no less than mangling existing records. Reading logs by unauthorized user also may be dangerous. To solve these two issues you have to set log permissions similar to my example above: nobody read and only root and log service able to write. After that it become much less important is these logs are append-only or not (if one really want to make logs append-only - use chattr +a). -- WBR, Alex.