From: Colin Booth <colin@heliocat.net>
To: supervision@list.skarnet.org
Subject: Re: s6-log can create current with 640?
Date: Wed, 23 Oct 2019 04:53:57 +0000 [thread overview]
Message-ID: <20191023045357.GB17083@cathexis.xen.prgmr.com> (raw)
In-Reply-To: <6f3a28f8-798c-9a55-e79b-2e54b37edf2e@heuristicsystems.com.au>
On Wed, Oct 23, 2019 at 01:27:24PM +1100, Dewayne Geraghty wrote:
> Is there any way to tell s6-log to set the mode to ./current to
> something other than 644? 640 is preferred?
>
> For example: I write to the logdir /var/log/httpd/error which has privs:
>
> /var/log/http
> drwx------ 2 uucp uucp 1.0K Oct 23 12:37 error/
>
> Within /var/log/httpd/error
> -rwxr--r-- 1 uucp uucp 190K Oct 23 12:37 @400000005dafaf1b180d862c.s*
> -rw-r----- 1 uucp uucp 0B Oct 23 12:37 state
> -rw-r--r-- 1 uucp uucp 0B Oct 23 12:37 current
>
> I did try umask 037 but that just broke the pipe.
>
> All my log files are of this form
> #!/usr/local/bin/execlineb -P
> s6-setuidgid uucp
> redirfd -r 0 /services/ntp/fifo
> /usr/local/bin/s6-log -b n28 r7000 s200000 S7000000 !"/usr/bin/xz -7q"
> /var/log/ntpd
>
> This is a big deal as I'm about to move my audit processing under s6-rc.
>
> (Aside: Actually I write to a fifo and then redirfd for s6-log to pick
> up the content and manage the log files. All works very nicely :) )
I know it isn't sexy but directory restrictions are good enough in this
situation. In your case, only the uucp user is allowed to descend into
that directory to start with so as long as that guarantee stays in place
the file permissions shouldn't matter. In fact, 640 is *more* permissive
than the parent directory due to the ability for accounts in the uucp
group to observe the file, even if they can't get to the directory to do
it.
Cheers!
--
Colin Booth
next prev parent reply other threads:[~2019-10-23 4:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-23 2:27 Dewayne Geraghty
2019-10-23 4:53 ` Colin Booth [this message]
2019-10-23 5:39 ` Dewayne Geraghty
2019-10-23 7:15 ` Jonathan de Boyne Pollard
2019-10-23 23:03 ` Dewayne Geraghty
2019-10-23 23:58 ` Laurent Bercot
2019-10-25 8:20 ` Dewayne Geraghty
2019-10-25 17:06 ` Guillermo
2019-10-26 1:52 ` Dewayne Geraghty
2019-10-26 5:27 ` Laurent Bercot
2019-10-26 7:16 ` Dewayne Geraghty
2019-10-26 13:08 ` Laurent Bercot
2019-10-29 7:28 ` Jonathan de Boyne Pollard
[not found] ` <a8fbd02e-0265-3d59-89d1-81048665693c@ntlworld.com>
2019-10-29 8:53 ` Laurent Bercot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191023045357.GB17083@cathexis.xen.prgmr.com \
--to=colin@heliocat.net \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).