[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: file permissions in /var/log



On Sun, Jul 09, 2000 at 06:01:08PM +0200, Sven Burgener wrote:
> Hi all
> 
> What should be the permissions of the log files located in /var/log?
> Where could I find out such a thing if something has changed
> unexpectedly / unintendedly?
> 
> I am unsure because I think I *might* have changed some permissions 
> with my logrotate.conf.

most logrotation scripts set the permissions to 640 (-rw-r-----)
root.adm, but oddly enough after an initial install most log files
have 644 root.root permissions until the logrotations get done.  

640 root.adm is correct IMO for most log files, wtmp, utmp, btmp,
lastlog, dmesg are exceptions to this.  (dmesg since anyone get can
that info anyway) any users who should be allowed to read logs are
added to group adm.  

one thing to watch for is your apache logs, by default the apache cron
job will chown them to www-data.www-data mode 664, this is *wrong*
they should be root.root 644 or root.adm 640 (depending on your
preference) apache.org states that log files should not be owned by
the user apache runs as. (otherwise anyone who is allowed to have cgi
can tamper with your logs) 

> This is what I have currently:
> 
> # ls -lR /var/log
> 
> /var/log:
> total 3376
> drwxr-xr-x    2 root     root         1024 Jun  4 12:07 apache
> -rw-r-----    1 root     adm        218944 Jul  9 17:55 auth.log
> -rw-r--r--    1 root     root       450626 Jul  9 17:31 daemon.log
> -rw-r--r--    1 root     root       183661 Jul  5 00:07 debug

640 root.adm IMO

> -rw-r--r--    1 root     root         3604 Jul  9 11:31 dmesg

this is fine since anyone can run dmesg.

> drwxr-xr-x    2 mail     mail         1024 Jul  7 08:20 exim

don't know anything about exim, but i don't like the looks of that.

> -rw-r--r--    1 root     root        24192 Jul  9 17:55 faillog

i am not quite sure who uses this file, the failed logins message you
get when you login comes from btmp iirc.

> -rw-r--r--    1 root     root       578067 Jul  9 11:32 kern.log

640 root.adm IMO

> drwxr-xr-x    2 root     root        20480 Jul  9 11:32 ksymoops

i would change permission on the ksymoops directory to 750, i have
seen alot of mode 0666 files created in there.  

> -rw-rw-r--    1 root     utmp       294336 Jul  9 17:55 lastlog

correct

> -rw-r--r--    1 root     root            0 Jun  3 17:46 lpr.log
> -rw-r--r--    1 root     root            0 Jun  3 17:46 mail.err
> -rw-r--r--    1 root     root        10994 Jun 10 12:38 mail.info
> -rw-r--r--    1 root     root        10994 Jun 10 12:38 mail.log
> -rw-r--r--    1 root     root            0 Jun  3 17:46 mail.warn

640 root.adm IMO

> -rw-rw-r--    1 root     utmp       181920 Jul  9 17:51 messages

this is wrong, should be 640 root.adm.  

> -rw-r--r--    1 root     root        99798 Jul  4 08:08 messages.1.gz
> -rw-r--r--    1 root     root        27027 Jul  9 11:37 nmb

640 root.adm IMO

> -rw-------    1 root     root            0 Jun  3 19:45 ppp-connect-errors

good, your ppp password could find its way in there.

> -rw-r-----    1 root     adm          4786 Jul  7 08:21 setuid.changes
> -rw-r-----    1 root     adm          4786 Jul  6 08:21 setuid.changes.0
> -rw-r-----    1 root     adm           703 Jul  5 08:21 setuid.changes.1.gz
> -rw-r-----    1 root     adm           702 Jul  4 08:21 setuid.changes.2.gz
> -rw-r-----    1 root     adm           705 Jun 30 08:21 setuid.changes.3.gz
> -rw-r-----    1 root     adm         22428 Jun 29 19:21 setuid.changes.4.gz
> -rw-r-----    1 root     adm            37 Jun 29 19:21 setuid.changes.5.gz
> -rw-r-----    1 root     root       372715 Jul  7 08:21 setuid.today
> -rw-r-----    1 root     root       372715 Jul  6 08:21 setuid.yesterday

good

> -rw-r--r--    1 root     root       105913 Jul  9 12:46 smb

root.adm 640 IMO.

> -rw-r-----    1 root     adm        111830 Jul  9 17:44 syslog
> -rw-r-----    1 root     adm         41605 Jul  7 08:20 syslog.0
> -rw-r-----    1 root     adm          6434 Jul  6 08:20 syslog.1.gz
> -rw-r-----    1 root     adm         11561 Jul  5 08:20 syslog.2.gz
> -rw-r-----    1 root     adm            75 Jul  4 08:21 syslog.3.gz
> -rw-r-----    1 root     adm          5394 Jun 30 08:20 syslog.4.gz
> -rw-r-----    1 root     adm         22469 Jul  4 08:21 syslog.5.gz

good

> -rw-r--r--    1 root     root           29 Jul  3 20:28 user.log

i have never had anything logged to user.log so this may be fine, mine
are root.adm 640 though.

> -rw-r--r--    1 root     root            0 Jun  3 17:46 uucp.log

root.adm 640.

> -rw-rw-r--    1 root     utmp       467328 Jul  9 17:55 wtmp
> -rw-rw-r--    1 root     utmp        60426 Jul  4 07:33 wtmp.1.gz

good.

> /var/log/apache:
> total 320
> -rw-r--r--    1 root     root       291873 Jul  9 15:43 access.log
> -rw-r--r--    1 root     root        29995 Jul  9 11:32 error.log

good, don't let this get changed to www-data, see
/etc/apache/cron.conf (iirc) and set CHOWN_LOG_FILES=0  (or something
like that)

> /var/log/exim:
> total 299
> -rw-r-----    1 mail     mail       168534 Jul  9 17:07 mainlog
> -rw-r-----    1 mail     mail        81212 Jul  7 08:20 mainlog.0
[...]
> -rw-r-----    1 mail     mail          366 Jun 11 18:31 rejectlog.5.gz

don't know anything about exim, but i don't really like the mail.mail ownership.

> /var/log/ksymoops:
> total 3898
> [snipped]
> -rw-r--r--    1 root     root        39986 Jul  9 13:31 20000709133147.ksyms
> -rw-r--r--    1 root     root          718 Jul  9 13:31 20000709133147.modules

i am not entirely sure where these come from so i just set the
ksymoops directory to 750 and leave the files inside alone since they
keep appearing.  (all too often with 0666 permissions...)

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpN4QhAWr1eX.pgp
Description: PGP signature


Reply to: