Re: s6-log can create current with 640?

From: Colin Booth <colin_at_heliocat.net>
Date: Wed, 23 Oct 2019 04:53:57 +0000

On Wed, Oct 23, 2019 at 01:27:24PM +1100, Dewayne Geraghty wrote:
> Is there any way to tell s6-log to set the mode to ./current to
> something other than 644? 640 is preferred?
>
> For example: I write to the logdir /var/log/httpd/error which has privs:
>
> /var/log/http
> drwx------ 2 uucp uucp 1.0K Oct 23 12:37 error/
>
> Within /var/log/httpd/error
> -rwxr--r-- 1 uucp uucp 190K Oct 23 12:37 _at_400000005dafaf1b180d862c.s*
> -rw-r----- 1 uucp uucp 0B Oct 23 12:37 state
> -rw-r--r-- 1 uucp uucp 0B Oct 23 12:37 current
>
> I did try umask 037 but that just broke the pipe.
>
> All my log files are of this form
> #!/usr/local/bin/execlineb -P
> s6-setuidgid uucp
> redirfd -r 0 /services/ntp/fifo
> /usr/local/bin/s6-log -b n28 r7000 s200000 S7000000 !"/usr/bin/xz -7q"
> /var/log/ntpd
>
> This is a big deal as I'm about to move my audit processing under s6-rc.
>
> (Aside: Actually I write to a fifo and then redirfd for s6-log to pick
> up the content and manage the log files. All works very nicely :) )

I know it isn't sexy but directory restrictions are good enough in this
situation. In your case, only the uucp user is allowed to descend into
that directory to start with so as long as that guarantee stays in place
the file permissions shouldn't matter. In fact, 640 is *more* permissive
than the parent directory due to the ability for accounts in the uucp
group to observe the file, even if they can't get to the directory to do
it.

Cheers!
-- 
Colin Booth
Received on Wed Oct 23 2019 - 04:53:57 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC