[Xymon] Hobbit Permission Problem

David Baldwin david.baldwin at ausport.gov.au
Tue Mar 29 06:09:21 CEST 2011


Adam,
> Hi all,
>
> I've got a bit of a problem across a number of machines which I'm having
> some trouble working out.
>
> Basically, the problem is my hobbit user can't display my log files:
> hobbit at host:/var/log$ cat messages
> cat: messages: Permission denied
>
> However, the user has these permissions/groups
> hobbit at host:/var/log$ id
> uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit)
>
> The directories leading to the file have these permissions:
> hobbit at host:/var/log$ ls -ld /
> drwxr-xr-x 24 root root 4096 Nov 19  2009 /
> hobbit at host:/var/log$ ls -ld /var
> drwxr-xr-x 15 root root 4096 Nov 19  2009 /var
> hobbit at host:/var/log$ ls -ld /var/log
> drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log
>
> The file has read permissions to the adm group of which we are a member
> (above)
> hobbit at host:/var/log$ ls -ld /var/log/messages
> -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages
>
A shortcut for just checking modes is namei

# namei -m /var/log/messages
f: /var/log/messages
 drwxr-xr-x /
 drwxr-xr-x var
 drwxr-xr-x log
 -rwxr-x--- messages

> Finally, here is all the info I can see on the file:
> hobbit at host:/var/log$ stat /var/log/messages
>   File: `/var/log/messages'
>   Size: 21353           Blocks: 48         IO Block: 1048576 regular file
> Device: eh/14d  Inode: 4202796     Links: 1
> Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    4/     adm)
> Access: 2011-03-28 20:21:00.000000000 +1100
> Modify: 2011-03-29 13:27:00.000000000 +1100
> Change: 2011-03-29 13:27:00.000000000 +1100
>
> I'm running a fairly standard Debian lenny
>
> The root user has no problem reading/writing the file/etc....
>
> Any pointers would be appreciated....

My solution to this one is to modify /etc/logrotate.d/syslog and change
group permissions on the file in question. A better solution might be to
use ACLs, but I tried that once and ran into an issue where '-r' test
didn't respect ACLs when checking it could read the log file! That may
have been back in the days of BB even... Group permissions haven't
caused any issues anyway :)

If your distro uses something other than logrotate to manage file
rotation you'll need to work out an appropriate recipe...

# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler
/var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2>
/dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2>
/dev/null || true
        chmod 750 /var/log/messages
        chgrp hobbit /var/log/messages
    endscript
}

David.

-- 
David Baldwin - IT Unit
Australian Sports Commission          www.ausport.gov.au
Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au          Leverrier Street Bruce ACT 2617


-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------



More information about the Xymon mailing list