<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>I’ve come
upon a simple and (seemingly) secure workaround for when you can’t loosen ownership
privileges on a log file that you need automatically monitored by the Xymon
client (or if you have multiple logs that may or may not get re-created by
different users)… Set your copies of logfetch to setgid some neutral, but
ever-present group… eg. “daemon”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>In my case:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>] chmod 2710
/usr/libexec/xymon-client/logfetch<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>] ls –la /usr/libexec/xymon-client/logfetch
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>-rwx--s---
1 xymon daemon 84654 Jul 17 10:30 /usr/libexec/xymon-client/logfetch<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>Simply
chgrp daemon and chmod g+r whatever log files you’re going to need to be
examined.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>The best
someone can do now is read log files they wouldn’t otherwise be able to, but
you won’t have to deal with the implications of superuser (supergroup?) privileges
regardless of what future security vulnerabilities might be found. In my case,
there are boxes that I can’t install a new user account o, or am running the
xymon client via a passive SSH call, but I’m not especially worried about local
log file reading. Here I can chmod 2711 logfetch, allowing any user to read
logs (ie, run hobbitclient.sh) while not having to deal with setuid root
concerns.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>HTH,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Arial'>Japheth
Cleaver<o:p></o:p></span></p>
</div>
</body>
</html>