Is it safe to remove read rights from all /var/log files for others?












0














Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?










share|improve this question
























  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36
















0














Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?










share|improve this question
























  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36














0












0








0







Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?










share|improve this question















Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?







linux logging access-control






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 22 at 16:23









harrymc

253k12260563




253k12260563










asked Nov 22 at 15:31









Senkaku

3241316




3241316












  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36


















  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36
















What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09




What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09












@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24






@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24














What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34




What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34












@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36




@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36










1 Answer
1






active

oldest

votes


















1














Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18


















1














Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18
















1












1








1






Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer












Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 22 at 20:59









Ljm Dullaart

59828




59828












  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18




















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18


















Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
– Senkaku
Nov 22 at 21:18






Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
– Senkaku
Nov 22 at 21:18




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

AnyDesk - Fatal Program Failure

How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

QoS: MAC-Priority for clients behind a repeater