[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
logfetch workaround (sanity check?)
- To: <hobbit (at) hswn.dk>
- Subject: logfetch workaround (sanity check?)
- From: "Cleaver, Japheth" <jcleaver (at) soe.sony.com>
- Date: Tue, 28 Jul 2009 18:30:44 -0700
- Thread-index: AcoP7DENob6tTZ1xR32V3jJipFJvSg==
- Thread-topic: logfetch workaround (sanity check?)
Iâve come upon a simple and (seemingly) secure workaround for when you canât loosen ownership privileges on a log file that you need automatically monitored by the Xymon client (or if you have multiple logs that may or may not get re-created by different users)â Set your copies of logfetch to setgid some neutral, but ever-present groupâ eg. âdaemonâ
In my case:
] chmod 2710 /usr/libexec/xymon-client/logfetch
] ls âla /usr/libexec/xymon-client/logfetch
-rwx--s--- 1 xymon daemon 84654 Jul 17 10:30 /usr/libexec/xymon-client/logfetch
Simply chgrp daemon and chmod g+r whatever log files youâre going to need to be examined.
The best someone can do now is read log files they wouldnât otherwise be able to, but you wonât have to deal with the implications of superuser (supergroup?) privileges regardless of what future security vulnerabilities might be found. In my case, there are boxes that I canât install a new user account o, or am running the xymon client via a passive SSH call, but Iâm not especially worried about local log file reading. Here I can chmod 2711 logfetch, allowing any user to read logs (ie, run hobbitclient.sh) while not having to deal with setuid root concerns.
HTH,
Japheth Cleaver