[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shouldn't root.adm , -rw-r----- , be policy for all non-public log files?

On Mon, Aug 26, 2002 at 06:13:30PM +0200, Joost van Baal wrote:
> Hi,
> I maintain the Lire package, which processes log files from e.g.
> sendmail, bind, apache, boa and lots of other services.  I don't want to
> run any Lire processes as root.  However, of course, the processes need

	Which is quit sensible on your behalf.

> read access to log files.  Unfortunately, there seems to be no rule or
> policy on how access permissions for log files should be.  Wouldn't it
> be nice if all non-public log files were owned by group `adm', and
> groupreadable?  (World readability for public log files is fine too, of
> course.)  Currently, this is the case for quite a lot of commonly found
> log files.

I recently added a FAQ item in the "Securing Debian Manual" 

AFAIK there is no policy regarding log files, however, there *should* be one.

> , although similar issues were raised, no conclusion seems to have been
> reached on this specific subject (other than "adm is to read logs".)
	If so then policy should tell package maintainers to create logs
as root.adm or package_user.adm. IMHO the problem should be fixed by clarifying the
policy and having it written down. How about submitting a policy proposal?



Reply to: