Permissions of log files automatically being reset by syslog

Written by - 2 comments

Published on - Listed in Linux Mail


For a special application I built a simple monitoring check which reads /var/log/mail.log (and the rotated /var/log/mail.log.1) and counts the number of e-mails sent by that application.

The check itself is executed through NRPE which runs as "nagios" user. Therefore the nagios user needs to be able to read /var/log/mail.log. Easy:

# chmod 644 /var/log/mail.log
# chmod 644 /var/log/mail.log.1

I even adapted the logrotate config file to ensure the rotated log file is also readable after a log rotation (using the "create" option):

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
{
    weekly
    missingok
    notifempty
    compress
    delaycompress
    create 644 root adm
    sharedscripts
    postrotate
        invoke-rc.d syslog-ng reload > /dev/null
    endscript
}

I enabled the monitoring check and it worked. But just a couple of minutes later the check returned critical because the nagios user wasn't able to read the log file anymore. I verified and indeed, the permissions of /var/log/mail.log were reset:

$ ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log

It turns out that syslog-ng (which runs on this application server) resets the permissions automatically to the ones defined in the syslog-ng config. By default (here on a Debian Wheezy installation) this means:

# grep 640 /etc/syslog-ng/syslog-ng.conf
      owner("root"); group("adm"); perm(0640); stats_freq(0);

This ownership and permission setting is part of syslog-ng's global configuration. Of course I could just set the permissions to 0644 here. But his means that all log files would be readable by all the users on this application server. Some logs contain sensitive information so I wouldn't like to just grant read access to everyone.

Instead the permissions can also be set in syslog-ng's "destination" option. For /var/log/mail.log this is the default setting:

# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log"); };

For this destination d_mail I want to create special file permissions:

# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log" perm(0644)); };

Followed by a syslog-ng restart:

# /etc/init.d/syslog-ng restart
[ ok ] Stopping system logging: syslog-ng.
[ ok ] Starting system logging: syslog-ng.

Checking the log's file permissions again:

# ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log

Hmm... the permissions are still the same?! Oh, wait... maybe syslog-ng needs to actually receive something from the mail log facility in order to reset the permissions? Let's try that:

# echo "testmail" | mailx -s test root

Checking again:

# ll /var/log/mail.log
-rw-r--r-- 1 root adm 113261 Jun 27 10:55 /var/log/mail.log

Yep, that's it!


Add a comment

Show form to leave a comment

Comments (newest first)

pingu from wrote on Mar 6th, 2023:

Thank you so much! It helped me out!


cm-shg from DE-NRW wrote on Nov 13th, 2020:

very helpful