How to grant non-root user access only to /var/log directory
Solution 1
Method 1 :
Permission to view log files is granted to users being in the group adm.
sudo usermod -aG adm <USER>
Method 2 :
Use logrotate
create mode owner group Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the log file just rotated). mode specifies the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who will own the log file, and group specifies the group the log file will belong to. Any of the log file attributes may be omitted, in which case those attributes for the new file will use the same values as the original log file for the omitted attributes. This option can be disabled using the nocreate option.
Usage :
/var/log/messages {
....
create 444 user group
....
}
Method 3 :
Just tail it man! Tail whatever log you need.
tail -f /var/log/messages.log
I'll use the 3rd method. Because, I'm lazy. (zzzzzz)
Solution 2
Read man journalctl
, and add the normal
user to the systemd-journal
or adm
groups.
Alternatively, you could do it the complicated way:
While restricting access to other directories is (IMHO) silly, here's how you can grant access to parts of /var/log
, by adding the normal
user to groups. Read man group;man adduser;man find;man xargs;man stat;man sort;man uniq
. Note adding a user to a group will give that user group
access everywhere on the system.
# How many unique permission values are there?
# Note that all but 41 allow some sort of group access
walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%A" | sort | uniq -c | sort -n
[sudo] password for walt:
1 drwx------
1 drwxrwx---
1 lrwxrwxrwx
3 drwxr-sr-x
3 drwxrwxr-x
3 drwxr-x---
4 -rw-rw-r--
13 drwxr-xr-x
41 -rw-------
95 -rw-r--r--
147 -rw-r-----
# What groups are there in /var/log?
walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%G" | sort | uniq -c | sort -n
1 debci
1 lp
1 ntp
1 syslog
1 walt
2 monkeysphere
2 www-data
5 utmp
33 systemd-journal
107 adm
158 root
# Look at the owner and group of the log files and consider
# adding the normal user to these groups
walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%U %G %n" | sort -u
# 312 lines on MY system - not worth posting
# now, about the 41 that don't allow group access:
walt@bat:~(0)$ sudo find /var/log -perm 0600 -ls
392396 4 -rw------- 1 root utmp 1536 Mar 22 09:01 /var/log/btmp.1
391673 4 -rw------- 1 root utmp 384 Apr 2 00:43 /var/log/btmp
394821 0 -rw------- 1 root root 0 Mar 1 2018 /var/log/dbconfig-common/dbc.log
424051 4 -rw------- 1 root root 457 Feb 6 2018 /var/log/dbconfig-common/dbc.log.1
522427 4 -rw------- 1 root root 3149 Apr 3 09:04 /var/log/lightdm/seat0-greeter.log.3.gz
523533 4 -rw------- 1 root root 828 Feb 17 00:08 /var/log/lightdm/x-1.log.7.gz
531112 0 -rw------- 1 root root 0 Apr 14 07:36 /var/log/lightdm/seat0-greeter.log
522345 4 -rw------- 1 root root 1002 Apr 2 07:35 /var/log/lightdm/lightdm.log.6.gz
524257 0 -rw------- 1 root root 0 Mar 23 08:55 /var/log/lightdm/x-1.log
523434 4 -rw------- 1 root root 663 Mar 29 00:50 /var/log/lightdm/x-0.log.7.gz
527110 4 -rw------- 1 root root 809 Feb 17 16:19 /var/log/lightdm/x-1.log.6.gz
523997 4 -rw------- 1 root root 1402 Apr 2 00:58 /var/log/lightdm/seat0-greeter.log.4.gz
523443 4 -rw------- 1 root root 1358 Mar 29 00:55 /var/log/lightdm/lightdm.log.7.gz
523486 4 -rw------- 1 root root 206 Apr 6 07:35 /var/log/lightdm/lightdm.log.3.gz
523363 4 -rw------- 1 root root 2481 Apr 3 09:14 /var/log/lightdm/lightdm.log.5.gz
522228 4 -rw------- 1 root root 2303 Apr 5 10:46 /var/log/lightdm/seat0-greeter.log.2.gz
527032 4 -rw------- 1 root root 778 Mar 21 00:49 /var/log/lightdm/x-1.log.3.gz
523128 4 -rw------- 1 root root 662 Mar 6 00:15 /var/log/lightdm/x-1.log.5.gz
524005 4 -rw------- 1 root root 169 Apr 8 07:35 /var/log/lightdm/lightdm.log.2.gz
523528 4 -rw------- 1 root root 1842 Mar 29 00:50 /var/log/lightdm/seat0-greeter.log.5.gz
522698 4 -rw------- 1 root root 738 Apr 2 00:58 /var/log/lightdm/x-0.log.6.gz
523317 4 -rw------- 1 root root 737 Apr 13 10:07 /var/log/lightdm/x-0.log.1.gz
523446 4 -rw------- 1 root root 1231 Apr 14 07:35 /var/log/lightdm/lightdm.log.1.gz
531103 0 -rw------- 1 root root 0 Apr 14 07:36 /var/log/lightdm/x-0.log
523440 4 -rw------- 1 root root 854 Mar 22 21:57 /var/log/lightdm/x-1.log.1.gz
522511 4 -rw------- 1 root root 1801 Mar 28 09:57 /var/log/lightdm/seat0-greeter.log.6.gz
522497 4 -rw------- 1 root root 738 Apr 3 09:04 /var/log/lightdm/x-0.log.5.gz
523402 4 -rw------- 1 root root 70 Apr 6 00:41 /var/log/lightdm/x-0.log.3.gz
531094 0 -rw------- 1 root root 0 Apr 14 07:36 /var/log/lightdm/lightdm.log
523394 4 -rw------- 1 root root 1984 Apr 5 10:51 /var/log/lightdm/lightdm.log.4.gz
523445 4 -rw------- 1 root root 913 Mar 21 20:45 /var/log/lightdm/x-1.log.2.gz
522927 4 -rw------- 1 root root 67 Apr 7 22:08 /var/log/lightdm/x-0.log.2.gz
523821 4 -rw------- 1 root root 2017 Mar 26 01:46 /var/log/lightdm/seat0-greeter.log.7.gz
522883 4 -rw------- 1 root root 1965 Apr 13 12:49 /var/log/lightdm/seat0-greeter.log.1.gz
523403 4 -rw------- 1 root root 800 Mar 6 23:46 /var/log/lightdm/x-1.log.4.gz
522648 4 -rw------- 1 root root 771 Apr 5 10:46 /var/log/lightdm/x-0.log.4.gz
406444 324 -rw------- 1 syslog adm 331656 Jan 29 2018 /var/log/installer/syslog
406446 4 -rw------- 1 root root 19 Jan 29 2018 /var/log/installer/version
406447 4 -rw------- 1 root root 1067 Jan 29 2018 /var/log/installer/casper.log
406448 8 -rw------- 1 root root 7110 Jan 29 2018 /var/log/installer/debug
406445 768 -rw------- 1 root root 785438 Jan 29 2018 /var/log/installer/partman
walt@bat:~(0)$
Related videos on Youtube
most2
Updated on September 18, 2022Comments
-
most2 over 1 year
I have newly created non-root(normal) user and want to grant access only to /var/log directory so that the user can view and monitor the logs. The user should not be able to cd/ls or access the /etc directory and do anything else apart from viewing files in /var/log. Is this setup possible?
I have tried to use setfacl -m u:user:--- on the /etc directory, but getting the /etc/profile permission denied error when logging in with the user.
How can i achieve this?
-
vidarlo about 5 yearsThe files in
/etc/
that is considered sensitive, such asshadow
containing password hashes, cryptographic keys and so forth are only readable by root. Why do you want to deny user ability to read/etc
? Is it a seperate user for reading logs, or a general purpose user? -
Paul Benson about 5 yearsWhat does access to
/etc
folder have anything to do with access to/var/log
folder? The 2 are not connected. -
most2 about 5 yearsits a seperate user for reading logs in /var/log. i dont want the use to ls /etc directory if possible. is this setup achievable?
-
-
Mike Q almost 4 yearsMethod 3 only works by circumstance and will not resolve the issue where users are restricted.