From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1232 Path: news.gmane.org!not-for-mail From: Vincent Danen Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: svlogd and umask settings Date: Fri, 1 Sep 2006 11:49:40 -0600 Organization: Annvix Message-ID: <20060901174940.GY25489@annvix.org> References: <20060830220325.GK25489@annvix.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9tXCsIaeOidoWqu8" X-Trace: sea.gmane.org 1157133027 30563 80.91.229.2 (1 Sep 2006 17:50:27 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Fri, 1 Sep 2006 17:50:27 +0000 (UTC) Cc: supervision@list.skarnet.org Original-X-From: supervision-return-1468-gcsg-supervision=m.gmane.org@list.skarnet.org Fri Sep 01 19:50:27 2006 Return-path: Envelope-to: gcsg-supervision@gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by ciao.gmane.org with smtp (Exim 4.43) id 1GJD9j-0005I9-CH for gcsg-supervision@gmane.org; Fri, 01 Sep 2006 19:50:15 +0200 Original-Received: (qmail 23703 invoked by uid 76); 1 Sep 2006 17:50:36 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 23697 invoked from network); 1 Sep 2006 17:50:36 -0000 Original-To: Vincent Danen Content-Disposition: inline In-Reply-To: <20060830220325.GK25489@annvix.org> X-Mailer: Mutt 1.5.x/OS X 10.4.x X-PGP-Key: http://linsec.ca/vdanen.asc X-URL: http://annvix.org/ User-Agent: Mutt/1.5.10i X-SA-Exim-Connect-IP: 68.149.37.7 X-SA-Exim-Mail-From: vdanen@annvix.org X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on hades.annvix.org X-Spam-Level: X-Spam-Status: No, score=-4.4 required=6.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.0 X-SA-Exim-Version: 4.2 (built Wed, 01 Feb 2006 18:29:36 -0700) X-SA-Exim-Scanned: Yes (on hades.annvix.org) Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1232 Archived-At: --9tXCsIaeOidoWqu8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Vincent Danen [2006-08-30 16:03:25 -0600]: > I have an issue with svlogd where I need it to write files with 0640 > perms, but it wants to write with 0644 perms. I tried to toss a umask > call in my runscript: >=20 > [root@ares apparmor.d]# cat /service/auditd/log/run=20 > #!/bin/execlineb >=20 > # logging for the auditd service; unfortunately we need to run as root he= re > # so that genprof will look at our log >=20 > /bin/foreground { /usr/bin/install -m 0700 -d -o root -g root > /var/log/system/audit } > /bin/cd /var/log/service > /bin/umask 026 > /sbin/svlogd /var/log/system/audit >=20 > This doesn't seem to make a difference to svlogd. Looking in the > manpage, I didn't see anything about changing the permissions of files > it creates. But even with the above I get: >=20 > [root@ares apparmor.d]# ls -l /var/log/system/audit/ > total 0 > -rw-r--r-- 1 root root 0 Aug 30 16:17 current > -rw------- 1 root root 0 Aug 30 16:17 lock >=20 > What am I missing or do I have to change something in svlogd itself? > Since Annvix is now using socklog by default, I need to make sure logs > are 0640. The directory permissions are correct, but the log file > permissions are not. Ok, I see the problem. I see all the fchmod() calls in svlogd.c that are writing files as mode 0744 or 0644. What would be nice to see is if svlogd could be configured to accept as a config option perms for files or if it respected umask settings. As it stands right now, I'm going to have to patch svlogd.c to make it write files mode 0740 or 0640. In conjunction with stuff like socklog, this is pretty important. You never see stuff like /var/log/messages or /var/log/auth.log with such insecure permissions so it would be good if something that socklog depended on could likewise write more secure log files. Maybe a switch (like -s) to enable secure logfile writing (mode 0x40) and -ss to enable more secure logile writing (mode 0x00)? My C skills aren't overly sharp, but I'll see if I can hobble a patch together for this. --=20 {FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4} mysql> SELECT * FROM users WHERE clue > 0; Empty set (0.00sec) --9tXCsIaeOidoWqu8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE+HK0LrxeMv7jCtQRAsKgAJsF5s2qUXnWMj7X2l7kbqZJBmliPgCfa64C 2FNRxegJI9zucT9FhjZElb8= =V9h2 -----END PGP SIGNATURE----- --9tXCsIaeOidoWqu8--