On Sun, Jul 09, 2000 at 06:01:08PM +0200, Sven Burgener wrote: > Hi all > > What should be the permissions of the log files located in /var/log? > Where could I find out such a thing if something has changed > unexpectedly / unintendedly? > > I am unsure because I think I *might* have changed some permissions > with my logrotate.conf. most logrotation scripts set the permissions to 640 (-rw-r-----) root.adm, but oddly enough after an initial install most log files have 644 root.root permissions until the logrotations get done. 640 root.adm is correct IMO for most log files, wtmp, utmp, btmp, lastlog, dmesg are exceptions to this. (dmesg since anyone get can that info anyway) any users who should be allowed to read logs are added to group adm. one thing to watch for is your apache logs, by default the apache cron job will chown them to www-data.www-data mode 664, this is *wrong* they should be root.root 644 or root.adm 640 (depending on your preference) apache.org states that log files should not be owned by the user apache runs as. (otherwise anyone who is allowed to have cgi can tamper with your logs) > This is what I have currently: > > # ls -lR /var/log > > /var/log: > total 3376 > drwxr-xr-x 2 root root 1024 Jun 4 12:07 apache > -rw-r----- 1 root adm 218944 Jul 9 17:55 auth.log > -rw-r--r-- 1 root root 450626 Jul 9 17:31 daemon.log > -rw-r--r-- 1 root root 183661 Jul 5 00:07 debug 640 root.adm IMO > -rw-r--r-- 1 root root 3604 Jul 9 11:31 dmesg this is fine since anyone can run dmesg. > drwxr-xr-x 2 mail mail 1024 Jul 7 08:20 exim don't know anything about exim, but i don't like the looks of that. > -rw-r--r-- 1 root root 24192 Jul 9 17:55 faillog i am not quite sure who uses this file, the failed logins message you get when you login comes from btmp iirc. > -rw-r--r-- 1 root root 578067 Jul 9 11:32 kern.log 640 root.adm IMO > drwxr-xr-x 2 root root 20480 Jul 9 11:32 ksymoops i would change permission on the ksymoops directory to 750, i have seen alot of mode 0666 files created in there. > -rw-rw-r-- 1 root utmp 294336 Jul 9 17:55 lastlog correct > -rw-r--r-- 1 root root 0 Jun 3 17:46 lpr.log > -rw-r--r-- 1 root root 0 Jun 3 17:46 mail.err > -rw-r--r-- 1 root root 10994 Jun 10 12:38 mail.info > -rw-r--r-- 1 root root 10994 Jun 10 12:38 mail.log > -rw-r--r-- 1 root root 0 Jun 3 17:46 mail.warn 640 root.adm IMO > -rw-rw-r-- 1 root utmp 181920 Jul 9 17:51 messages this is wrong, should be 640 root.adm. > -rw-r--r-- 1 root root 99798 Jul 4 08:08 messages.1.gz > -rw-r--r-- 1 root root 27027 Jul 9 11:37 nmb 640 root.adm IMO > -rw------- 1 root root 0 Jun 3 19:45 ppp-connect-errors good, your ppp password could find its way in there. > -rw-r----- 1 root adm 4786 Jul 7 08:21 setuid.changes > -rw-r----- 1 root adm 4786 Jul 6 08:21 setuid.changes.0 > -rw-r----- 1 root adm 703 Jul 5 08:21 setuid.changes.1.gz > -rw-r----- 1 root adm 702 Jul 4 08:21 setuid.changes.2.gz > -rw-r----- 1 root adm 705 Jun 30 08:21 setuid.changes.3.gz > -rw-r----- 1 root adm 22428 Jun 29 19:21 setuid.changes.4.gz > -rw-r----- 1 root adm 37 Jun 29 19:21 setuid.changes.5.gz > -rw-r----- 1 root root 372715 Jul 7 08:21 setuid.today > -rw-r----- 1 root root 372715 Jul 6 08:21 setuid.yesterday good > -rw-r--r-- 1 root root 105913 Jul 9 12:46 smb root.adm 640 IMO. > -rw-r----- 1 root adm 111830 Jul 9 17:44 syslog > -rw-r----- 1 root adm 41605 Jul 7 08:20 syslog.0 > -rw-r----- 1 root adm 6434 Jul 6 08:20 syslog.1.gz > -rw-r----- 1 root adm 11561 Jul 5 08:20 syslog.2.gz > -rw-r----- 1 root adm 75 Jul 4 08:21 syslog.3.gz > -rw-r----- 1 root adm 5394 Jun 30 08:20 syslog.4.gz > -rw-r----- 1 root adm 22469 Jul 4 08:21 syslog.5.gz good > -rw-r--r-- 1 root root 29 Jul 3 20:28 user.log i have never had anything logged to user.log so this may be fine, mine are root.adm 640 though. > -rw-r--r-- 1 root root 0 Jun 3 17:46 uucp.log root.adm 640. > -rw-rw-r-- 1 root utmp 467328 Jul 9 17:55 wtmp > -rw-rw-r-- 1 root utmp 60426 Jul 4 07:33 wtmp.1.gz good. > /var/log/apache: > total 320 > -rw-r--r-- 1 root root 291873 Jul 9 15:43 access.log > -rw-r--r-- 1 root root 29995 Jul 9 11:32 error.log good, don't let this get changed to www-data, see /etc/apache/cron.conf (iirc) and set CHOWN_LOG_FILES=0 (or something like that) > /var/log/exim: > total 299 > -rw-r----- 1 mail mail 168534 Jul 9 17:07 mainlog > -rw-r----- 1 mail mail 81212 Jul 7 08:20 mainlog.0 [...] > -rw-r----- 1 mail mail 366 Jun 11 18:31 rejectlog.5.gz don't know anything about exim, but i don't really like the mail.mail ownership. > /var/log/ksymoops: > total 3898 > [snipped] > -rw-r--r-- 1 root root 39986 Jul 9 13:31 20000709133147.ksyms > -rw-r--r-- 1 root root 718 Jul 9 13:31 20000709133147.modules i am not entirely sure where these come from so i just set the ksymoops directory to 750 and leave the files inside alone since they keep appearing. (all too often with 0666 permissions...) -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpn8Sj9a7qO0.pgp
Description: PGP signature