6

I am trying to write a simple script that monitors /var/log/messages file. The file by default doesn't have read permission for users, when I allow read access to this file my script works perfectly, but the problem is that file gets rewritten each time I restart the system and all my changes get lost. Is there a way to change its default permissions?

Thanks.

Maksim Vi.
  • 167
  • 1
  • 1
  • 5

3 Answers3

12

There are permissions management setups that don't require you to use sudo -- you could give the user running the script access to the group that owns /var/log/messages (adm, on my laptop here). Alternately, use NOPASSWD in the sudoers entry for the script, so that you don't have to store a password in the script.

If you're really dead-set on letting the world see what's in /var/log/messages (and I'd strongly recommend against it -- there really can be private stuff in there) then what's setting your permissions back to default is probably logrotate, so check out your logrotate config and find the stanza that's doing your /var/log/messages rotation and change it.

womble
  • 96,255
  • 29
  • 175
  • 230
2

If you do use sudo to grant access, then you need to be careful to limit the access scope properly. I would recommend using something like this in your sudoers file:

scriptuser  ALL = NOPASSWD: /bin/cat /var/log/messages

That will allow 'scriptuser' to perform the exact command presented without entering a password.

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
  • I like this solution, but I feel like it could be really confusing to certain users. To me at least it would be really confusing to be able to `cat` a file and not `tail` it or something. – JP Silvashy Nov 29 '11 at 18:49
  • @JosephSilvashy: You can also set up command groups and allow any "read only" text processing commands you want while keeping my answer pretty well intact. I leave configuring said grouping as an exercise to the reader. – Scott Pack Nov 29 '11 at 18:52
1

The usual solution is to run the monitor script with sufficient privilege to be able to read the file.

This is because the /var/log/messages permission is carefully chosen to hide any sensitive information that accidentally ends up in that log file.

Douglas Leeder
  • 2,745
  • 18
  • 15
  • Doesn't work for me, I want to run the script when system starts with no user interactions and I don't want to store sudo password in my script file. There are lots of other files that contain more sensitive information and allow to change their permissions just fine. – Maksim Vi. Oct 17 '09 at 08:24
  • create another user and use group permissions. – neoice Oct 17 '09 at 16:40
  • So start the script form root's crontab then. It doesn't have to run from your user account. – Douglas Leeder Oct 17 '09 at 17:53
  • it is a gui script, and I had no luck so far running gui applications not from current user. Group permissions for this file are always set to 0. – Maksim Vi. Oct 17 '09 at 21:05
  • A GUI script that runs with no user interactions... WTF? – womble Oct 17 '09 at 22:23
  • 1
    It sounds like you have a GUI application that starts when the user logs in? Is that the case? – Douglas Leeder Oct 18 '09 at 07:28