Hi,
I maintain the Lire package, which processes log files from e.g.
sendmail, bind, apache, boa and lots of other services. I don't want to
run any Lire processes as root. However, of course, the processes need
read access to log files. Unfortunately, there seems to be no rule or
policy on how access permissions for log files should be. Wouldn't it
be nice if all non-public log files were owned by group `adm', and
groupreadable? (World readability for public log files is fine too, of
course.) Currently, this is the case for quite a lot of commonly found
log files.
(A short investigation shows some exceptions: in order to read exim's
logs, one needs to be in the `mail' group. For squid this is the
`proxy' group.)
I've reread the "exploring debian's users and groups" discussion on
http://lists.debian.org/debian-devel/2001/debian-devel-200108/msg00272.html
, although similar issues were raised, no conclusion seems to have been
reached on this specific subject (other than "adm is to read logs".)
See also http://bugs.debian.org/153812 . In the current situation, I
can't automatically configure my package to get readaccess for all
supported logs, without running it as root :(
Bye,
Joost
--
. . http://mdcc.cx/
Joost van Baal . .
. .
. . http://logreport.org/
Attachment:
pgpW4j6c6E4IW.pgp
Description: PGP signature