1

What should I choose to allow staff access to logs on server. For example if I have user webmaster which should have access to /var/log/{mysql,nginx, etc...}, how can I make it? Maybe add group log-access and change owner of logs to this group? Or it's not good way?

Ubuntu is the main OS that I use (rarely CentOS).

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Sonique
  • 241
  • 1
  • 9
  • It highly depends on the distro. Some have a `0600` permission which would make changing the group meaningless. – Nathan C Sep 30 '14 at 19:52

2 Answers2

2

This question has a pretty big scope, especially with that ambiguous 'etc' in there. What I can do is help you break this into pieces so you can manage the problem better. You need to first clearly define what logs they need access to and tackle one at a time.

Per log file, you'll need to make some considerations;

  • If log rotation is handled by the service or daemon, you'll need to come up with a way to set desired permissions on the log file via the service's configuration. You can use things like umask in the init script, the setgid bit on the log directory (if it's a subdirectory to /var/log), etc.

  • If log rotation is handled by the logrotate cron job, there is a method 'create' that you can use to set the owner, group, and mode of the new log file.

  • The last option I can think of is if the service uses the syslog facility, you might need to set permissions in there. (For example, rsyslogd.)

Ultimately, you are probably going to use a combination of all of the above. You are on the right track with using a group. Owner will likely remain root or the process owner (whomever is writing the file.) The owner will retain read, write and the group read-only.

To get more specific answers, your question might need to be more specific. Start by letting us know what OS and version you are running.

Community
  • 1
Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
1

Instead of providing access to a machine and files, I recommend providing access to a service, such as Logstash or Splunk. It's far preferable than giving system permissions, and will allow you to leverage a great deal of utility from the tools themselves.

gWaldo
  • 11,957
  • 8
  • 42
  • 69
  • Hi, thanks for links, I didn't know this tools .I know some solution for providing access for user groups via web like ISPConfig or Ajenti, but in this case I need to grant access for some users to server directly. Webmaster should work with logs, deploy app and test, configure mysql for better performance and other stuff. – Sonique Oct 01 '14 at 11:13
  • To those things, I would suggest a separate deployment mechanism for the applications that you deploy, and configuration management to not only manage, but store a history of configuration changes. These allow your people to achieve the capabilities that they need to do their work, but also provides you layers of safety (in both access-control as well as auditing.) – gWaldo Oct 01 '14 at 12:15
  • This would be a great end state! It will be more of an investment in time and in the case of Splunk; money. You should be able to setup read-only access to the flat files in a short bit of time then pitch this as the next step. – Aaron Copley Oct 01 '14 at 15:41