[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

/var/log on Debian systems

On all my Debian systems, /var/log seems like a big pile of dumps
without much consistency. Especially, while 0640:root:adm seems to
be a commonly accepted guideline, proggies like aptitude,
scrollkeeper, X, xdm, fontconfig, and many others basically just
dump their files world-readable into there.

There are very few files in /var/log that need to have world-read
rights. Most log files do not, and probably should not, as they may
contain sensitive information (mail.log's data is considered private
in many EU states, for example).

I would like to standardise /var/log on Debian systems. Having
0640:root:adm be the goal on all files (unless it needs to be
otherwise), I therefore

  - first suggest to make /var/log group adm and setgid, so that any
    new files automatically belong to group adm.
  - second suggest to amend the policy (in the long run) to demand
    packages to umask to 0270 before writing to the directory. This
    would go for syslogd as well as any other programme and yield
    0640 files by default.

The main problems I see are with daemons not running as root, which
can therefore not create adm-group-owned files. Pre-touching the
files in the postinst and using logrotate's defaults seems to solve
this. Other than that, however, I do not see any immediate problems.

Please contribute your thoughts.

PS: maybe we can also flatten news/* or deepen mail.* on the way.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: