On all my Debian systems, /var/log seems like a big pile of dumps without much consistency. Especially, while 0640:root:adm seems to be a commonly accepted guideline, proggies like aptitude, scrollkeeper, X, xdm, fontconfig, and many others basically just dump their files world-readable into there. There are very few files in /var/log that need to have world-read rights. Most log files do not, and probably should not, as they may contain sensitive information (mail.log's data is considered private in many EU states, for example). I would like to standardise /var/log on Debian systems. Having 0640:root:adm be the goal on all files (unless it needs to be otherwise), I therefore - first suggest to make /var/log group adm and setgid, so that any new files automatically belong to group adm. - second suggest to amend the policy (in the long run) to demand packages to umask to 0270 before writing to the directory. This would go for syslogd as well as any other programme and yield 0640 files by default. The main problems I see are with daemons not running as root, which can therefore not create adm-group-owned files. Pre-touching the files in the postinst and using logrotate's defaults seems to solve this. Other than that, however, I do not see any immediate problems. Please contribute your thoughts. PS: maybe we can also flatten news/* or deepen mail.* on the way. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <firstname.lastname@example.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature