When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-YYYYMDD) is there a way via systemd or whatever to assign read permission to a specific group?
Right now, for example -
ls -l maillog* -rw------- 1 root root 3105240 Mar 13 22:04 maillog -rw------- 1 root root 1079031 Feb 24 04:39 maillog-20190224 -rw------- 1 root root 7237640 Mar 1 12:59 maillog-20190228 -rw------- 1 root root 1297508 Mar 3 04:21 maillog-20190303 -rw------- 1 root root 1319371 Mar 10 08:17 maillog-20190310
What I would like -
ls -l maillog* -rw------- 1 root root 3105240 Mar 13 22:04 maillog -rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224 -rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228 -rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303 -rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310
That way a user in somegroup could run a script that analyzes the rotated logs w/o needing root privileges.
Obviously I could put a script in /etc/cron.hourly that looks for rotated log files and changes ownership / permission, but I am wondering if there is a "proper" way to configure it via systemd or another utility.
On Wed, 2019-03-13 at 15:13 -0700, Alice Wonder wrote:
When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-YYYYMDD) is there a way via systemd or whatever
It's logrotate that does it.
You may want to look at the 'prerotate' and 'postrotate' sections of the logrotate config files - I'm sure you should be able concoct something that will do what you want.
P.
On 3/13/19 11:13 PM, Alice Wonder wrote:
When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-YYYYMDD) is there a way via systemd or whatever to assign read permission to a specific group?
Add the following line to /etc/logrotate.d/syslog, e.g. after sharedscripts:
create 640 root somegroup
On Thu, 2019-03-14 at 11:51 +0100, Mogens Kjaer wrote:
On 3/13/19 11:13 PM, Alice Wonder wrote:
When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-YYYYMDD) is there a way via systemd or whatever to assign read permission to a specific group?
Add the following line to /etc/logrotate.d/syslog, e.g. after sharedscripts:
create 640 root somegroup
I thought the create command created the new log with those permissions not changed the owner/permission of the rotated logs. Alice said she would like:
-rw------- 1 root root 3105240 Mar 13 22:04 maillog -rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224 -rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228 -rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303 -rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310
P.
Maybe I'm missing something here but doesn't logrotate have the 'postrotate ... endscript' block for its configuration files where you can run any command you desire?
Leroy Tennison Network Information/Cyber Security Specialist E: leroy@datavoiceint.com 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here . If you prefer not to be contacted by Harris Operating Group please notify us . This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
________________________________________ From: CentOS centos-bounces@centos.org on behalf of Alice Wonder alice@domblogger.net Sent: Wednesday, March 13, 2019 5:13 PM To: centos@centos.org Subject: [EXTERNAL] [CentOS] read permission on rotated logs
When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-YYYYMDD) is there a way via systemd or whatever to assign read permission to a specific group?
Right now, for example -
ls -l maillog* -rw------- 1 root root 3105240 Mar 13 22:04 maillog -rw------- 1 root root 1079031 Feb 24 04:39 maillog-20190224 -rw------- 1 root root 7237640 Mar 1 12:59 maillog-20190228 -rw------- 1 root root 1297508 Mar 3 04:21 maillog-20190303 -rw------- 1 root root 1319371 Mar 10 08:17 maillog-20190310
What I would like -
ls -l maillog* -rw------- 1 root root 3105240 Mar 13 22:04 maillog -rw-r----- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224 -rw-r----- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228 -rw-r----- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303 -rw-r----- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310
That way a user in somegroup could run a script that analyzes the rotated logs w/o needing root privileges.
Obviously I could put a script in /etc/cron.hourly that looks for rotated log files and changes ownership / permission, but I am wondering if there is a "proper" way to configure it via systemd or another utility. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Thu, 2019-03-14 at 15:45 +0000, Leroy Tennison wrote:
Maybe I'm missing something here but doesn't logrotate have the 'postrotate ... endscript' block for its configuration files where you can run any command you desire?
The problem is knowing the name that the logfile has just been rotated to. The script is only passed the name of the logfile itself and I don't think the name can be accurately constructed from that.
That's why I said some combination of pre- and post- rotate. Something like in the prerotate section change the ownership and permissions, then when it's rotated it should be correct. The create command can then be used to make sure the newly created logfile has the correct ownership/permission.
P.
-
Alice Wonder -
Leroy Tennison -
Mogens Kjaer -
Pete Biggs