Read Permission On Rotated Logs

Home » CentOS » Read Permission On Rotated Logs
CentOS 5 Comments

When logs (e.g. /var/log/maillog) are rotated (e.g. to
/var/log/maillog-YYYYMDD) is there a way via systemd or whatever to assign read permission to a specific group?

Right now, for example –

ls -l maillog*
-rw——- 1 root root 3105240 Mar 13 22:04 maillog
-rw——- 1 root root 1079031 Feb 24 04:39 maillog-20190224
-rw——- 1 root root 7237640 Mar 1 12:59 maillog-20190228
-rw——- 1 root root 1297508 Mar 3 04:21 maillog-20190303
-rw——- 1 root root 1319371 Mar 10 08:17 maillog-20190310

What I would like –

ls -l maillog*
-rw——- 1 root root 3105240 Mar 13 22:04 maillog
-rw-r—– 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
-rw-r—– 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228
-rw-r—– 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303
-rw-r—– 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

That way a user in somegroup could run a script that analyzes the rotated logs w/o needing root privileges.

Obviously I could put a script in /etc/cron.hourly that looks for rotated log files and changes ownership / permission, but I am wondering if there is a “proper” way to configure it via systemd or another utility.

5 thoughts on - Read Permission On Rotated Logs

  • It’s logrotate that does it.

    You may want to look at the ‘prerotate’ and ‘postrotate’ sections of the logrotate config files – I’m sure you should be able concoct something that will do what you want.

    P.

  • Add the following line to /etc/logrotate.d/syslog, e.g. after sharedscripts:

    create 640 root somegroup

  • I thought the create command created the new log with those permissions not changed the owner/permission of the rotated logs. Alice said she would like:

    -rw——- 1 root root 3105240 Mar 13 22:04 maillog
    -rw-r—– 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
    -rw-r—– 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228
    -rw-r—– 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303
    -rw-r—– 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

    P.

  • Maybe I’m missing something here but doesn’t logrotate have the ‘postrotate … endscript’ block for its configuration files where you can run any command you desire?

    Leroy Tennison Network Information/Cyber Security Specialist E: leroy@datavoiceint.com
    2220 Bush Dr McKinney, Texas
    75070
    http://www.datavoiceint.com This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here
    . If you prefer not to be contacted by Harris Operating Group please notify us
    . This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

  • The problem is knowing the name that the logfile has just been rotated to. The script is only passed the name of the logfile itself and I
    don’t think the name can be accurately constructed from that.

    That’s why I said some combination of pre- and post- rotate. Something like in the prerotate section change the ownership and permissions, then when it’s rotated it should be correct. The create command can then be used to make sure the newly created logfile has the correct ownership/permission.

    P.