From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2686 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Colin Booth Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: s6-log can create current with 640? Date: Wed, 23 Oct 2019 04:53:57 +0000 Message-ID: <20191023045357.GB17083@cathexis.xen.prgmr.com> References: <6f3a28f8-798c-9a55-e79b-2e54b37edf2e@heuristicsystems.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="63823"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.10.1 (2018-07-13) To: supervision@list.skarnet.org Original-X-From: supervision-return-2275-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Oct 23 06:54:01 2019 Return-path: Envelope-to: gcsg-supervision@m.gmane.org Original-Received: from alyss.skarnet.org ([95.142.172.232]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1iN8em-000GSu-KM for gcsg-supervision@m.gmane.org; Wed, 23 Oct 2019 06:54:00 +0200 Original-Received: (qmail 23663 invoked by uid 89); 23 Oct 2019 04:54:25 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Original-Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Original-Received: (qmail 23656 invoked from network); 23 Oct 2019 04:54:24 -0000 Content-Disposition: inline In-Reply-To: <6f3a28f8-798c-9a55-e79b-2e54b37edf2e@heuristicsystems.com.au> Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2686 Archived-At: On Wed, Oct 23, 2019 at 01:27:24PM +1100, Dewayne Geraghty wrote: > Is there any way to tell s6-log to set the mode to ./current to > something other than 644? 640 is preferred? > > For example: I write to the logdir /var/log/httpd/error which has privs: > > /var/log/http > drwx------ 2 uucp uucp 1.0K Oct 23 12:37 error/ > > Within /var/log/httpd/error > -rwxr--r-- 1 uucp uucp 190K Oct 23 12:37 @400000005dafaf1b180d862c.s* > -rw-r----- 1 uucp uucp 0B Oct 23 12:37 state > -rw-r--r-- 1 uucp uucp 0B Oct 23 12:37 current > > I did try umask 037 but that just broke the pipe. > > All my log files are of this form > #!/usr/local/bin/execlineb -P > s6-setuidgid uucp > redirfd -r 0 /services/ntp/fifo > /usr/local/bin/s6-log -b n28 r7000 s200000 S7000000 !"/usr/bin/xz -7q" > /var/log/ntpd > > This is a big deal as I'm about to move my audit processing under s6-rc. > > (Aside: Actually I write to a fifo and then redirfd for s6-log to pick > up the content and manage the log files. All works very nicely :) ) I know it isn't sexy but directory restrictions are good enough in this situation. In your case, only the uucp user is allowed to descend into that directory to start with so as long as that guarantee stays in place the file permissions shouldn't matter. In fact, 640 is *more* permissive than the parent directory due to the ability for accounts in the uucp group to observe the file, even if they can't get to the directory to do it. Cheers! -- Colin Booth