[Xymon] Hobbit Permission Problem
David Baldwin
david.baldwin at ausport.gov.au
Tue Mar 29 06:09:21 CEST 2011
Adam,
> Hi all,
>
> I've got a bit of a problem across a number of machines which I'm having
> some trouble working out.
>
> Basically, the problem is my hobbit user can't display my log files:
> hobbit at host:/var/log$ cat messages
> cat: messages: Permission denied
>
> However, the user has these permissions/groups
> hobbit at host:/var/log$ id
> uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit)
>
> The directories leading to the file have these permissions:
> hobbit at host:/var/log$ ls -ld /
> drwxr-xr-x 24 root root 4096 Nov 19 2009 /
> hobbit at host:/var/log$ ls -ld /var
> drwxr-xr-x 15 root root 4096 Nov 19 2009 /var
> hobbit at host:/var/log$ ls -ld /var/log
> drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log
>
> The file has read permissions to the adm group of which we are a member
> (above)
> hobbit at host:/var/log$ ls -ld /var/log/messages
> -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages
>
A shortcut for just checking modes is namei
# namei -m /var/log/messages
f: /var/log/messages
drwxr-xr-x /
drwxr-xr-x var
drwxr-xr-x log
-rwxr-x--- messages
> Finally, here is all the info I can see on the file:
> hobbit at host:/var/log$ stat /var/log/messages
> File: `/var/log/messages'
> Size: 21353 Blocks: 48 IO Block: 1048576 regular file
> Device: eh/14d Inode: 4202796 Links: 1
> Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm)
> Access: 2011-03-28 20:21:00.000000000 +1100
> Modify: 2011-03-29 13:27:00.000000000 +1100
> Change: 2011-03-29 13:27:00.000000000 +1100
>
> I'm running a fairly standard Debian lenny
>
> The root user has no problem reading/writing the file/etc....
>
> Any pointers would be appreciated....
My solution to this one is to modify /etc/logrotate.d/syslog and change
group permissions on the file in question. A better solution might be to
use ACLs, but I tried that once and ran into an issue where '-r' test
didn't respect ACLs when checking it could read the log file! That may
have been back in the days of BB even... Group permissions haven't
caused any issues anyway :)
If your distro uses something other than logrotate to manage file
rotation you'll need to work out an appropriate recipe...
# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler
/var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2>
/dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2>
/dev/null || true
chmod 750 /var/log/messages
chgrp hobbit /var/log/messages
endscript
}
David.
--
David Baldwin - IT Unit
Australian Sports Commission www.ausport.gov.au
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au Leverrier Street Bruce ACT 2617
-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------
More information about the Xymon
mailing list