Is it safe to remove read rights from all /var/log files for others?
Am I supposed to be able to revoke read access recursively to /var/log/
for others
or will it break some applications which rely on being able to read from /var/log/
with other
rights?
linux logging access-control
add a comment |
Am I supposed to be able to revoke read access recursively to /var/log/
for others
or will it break some applications which rely on being able to read from /var/log/
with other
rights?
linux logging access-control
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36
add a comment |
Am I supposed to be able to revoke read access recursively to /var/log/
for others
or will it break some applications which rely on being able to read from /var/log/
with other
rights?
linux logging access-control
Am I supposed to be able to revoke read access recursively to /var/log/
for others
or will it break some applications which rely on being able to read from /var/log/
with other
rights?
linux logging access-control
linux logging access-control
edited Nov 22 at 16:23
harrymc
253k12260563
253k12260563
asked Nov 22 at 15:31
Senkaku
3241316
3241316
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36
add a comment |
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36
add a comment |
1 Answer
1
active
oldest
votes
Many Linux distributions give only limited access to the files under /var/log
. However, the directories are mostly accessible.
As far as programs that use files under var/log
, getting info for last logins with last
requires (read) access to /var/log/wtmp
, so revoking access would break that functionality.
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because/usr/bin/last
tries to access/var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntulast
is still able to perform.
– Senkaku
Nov 22 at 21:18
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Many Linux distributions give only limited access to the files under /var/log
. However, the directories are mostly accessible.
As far as programs that use files under var/log
, getting info for last logins with last
requires (read) access to /var/log/wtmp
, so revoking access would break that functionality.
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because/usr/bin/last
tries to access/var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntulast
is still able to perform.
– Senkaku
Nov 22 at 21:18
add a comment |
Many Linux distributions give only limited access to the files under /var/log
. However, the directories are mostly accessible.
As far as programs that use files under var/log
, getting info for last logins with last
requires (read) access to /var/log/wtmp
, so revoking access would break that functionality.
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because/usr/bin/last
tries to access/var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntulast
is still able to perform.
– Senkaku
Nov 22 at 21:18
add a comment |
Many Linux distributions give only limited access to the files under /var/log
. However, the directories are mostly accessible.
As far as programs that use files under var/log
, getting info for last logins with last
requires (read) access to /var/log/wtmp
, so revoking access would break that functionality.
Many Linux distributions give only limited access to the files under /var/log
. However, the directories are mostly accessible.
As far as programs that use files under var/log
, getting info for last logins with last
requires (read) access to /var/log/wtmp
, so revoking access would break that functionality.
answered Nov 22 at 20:59
Ljm Dullaart
59828
59828
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because/usr/bin/last
tries to access/var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntulast
is still able to perform.
– Senkaku
Nov 22 at 21:18
add a comment |
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because/usr/bin/last
tries to access/var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntulast
is still able to perform.
– Senkaku
Nov 22 at 21:18
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because
/usr/bin/last
tries to access /var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last
is still able to perform.– Senkaku
Nov 22 at 21:18
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because
/usr/bin/last
tries to access /var/log/lastlog
with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last
is still able to perform.– Senkaku
Nov 22 at 21:18
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24
What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36