Log file permissions in Linux
Solution 1
There are permissions management setups that don't require you to use sudo
-- you could give the user running the script access to the group that owns /var/log/messages
(adm
, on my laptop here). Alternately, use NOPASSWD
in the sudoers entry for the script, so that you don't have to store a password in the script.
If you're really dead-set on letting the world see what's in /var/log/messages
(and I'd strongly recommend against it -- there really can be private stuff in there) then what's setting your permissions back to default is probably logrotate
, so check out your logrotate config and find the stanza that's doing your /var/log/messages
rotation and change it.
Solution 2
If you do use sudo to grant access, then you need to be careful to limit the access scope properly. I would recommend using something like this in your sudoers file:
scriptuser ALL = NOPASSWD: /bin/cat /var/log/messages
That will allow 'scriptuser' to perform the exact command presented without entering a password.
Solution 3
The usual solution is to run the monitor script with sufficient privilege to be able to read the file.
This is because the /var/log/messages
permission is carefully chosen to hide any sensitive information that accidentally ends up in that log file.
Related videos on Youtube
Maksim Vi.
Software developer in an online social entertainment company
Updated on September 17, 2022Comments
-
Maksim Vi. over 1 year
I am trying to write a simple script that monitors
/var/log/messages
file. The file by default doesn't have read permission for users, when I allow read access to this file my script works perfectly, but the problem is that file gets rewritten each time I restart the system and all my changes get lost. Is there a way to change its default permissions?Thanks.
-
Zanchey over 14 yearswhich Linux distro are you using?
-
Maksim Vi. over 14 yearsI am using OpenSUSE 11.0
-
-
Maksim Vi. over 14 yearsDoesn't work for me, I want to run the script when system starts with no user interactions and I don't want to store sudo password in my script file. There are lots of other files that contain more sensitive information and allow to change their permissions just fine.
-
Maksim Vi. over 14 yearsit seems that on my computer only root user has access to that file :(
-
ISJ over 14 yearscreate another user and use group permissions.
-
Douglas Leeder over 14 yearsSo start the script form root's crontab then. It doesn't have to run from your user account.
-
Maksim Vi. over 14 yearsit is a gui script, and I had no luck so far running gui applications not from current user. Group permissions for this file are always set to 0.
-
womble over 14 yearsA GUI script that runs with no user interactions... WTF?
-
Douglas Leeder over 14 yearsIt sounds like you have a GUI application that starts when the user logs in? Is that the case?
-
jeff-h over 12 yearsI like this solution, but I feel like it could be really confusing to certain users. To me at least it would be really confusing to be able to
cat
a file and nottail
it or something. -
Scott Pack over 12 years@JosephSilvashy: You can also set up command groups and allow any "read only" text processing commands you want while keeping my answer pretty well intact. I leave configuring said grouping as an exercise to the reader.