Permissions of log files automatically being reset by syslog

Written by - 2 comments

Published on - Listed in Linux Mail

For a special application I built a simple monitoring check which reads /var/log/mail.log (and the rotated /var/log/mail.log.1) and counts the number of e-mails sent by that application.

The check itself is executed through NRPE which runs as "nagios" user. Therefore the nagios user needs to be able to read /var/log/mail.log. Easy:

# chmod 644 /var/log/mail.log
# chmod 644 /var/log/mail.log.1

I even adapted the logrotate config file to ensure the rotated log file is also readable after a log rotation (using the "create" option):

    create 644 root adm
        invoke-rc.d syslog-ng reload > /dev/null

I enabled the monitoring check and it worked. But just a couple of minutes later the check returned critical because the nagios user wasn't able to read the log file anymore. I verified and indeed, the permissions of /var/log/mail.log were reset:

$ ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log

It turns out that syslog-ng (which runs on this application server) resets the permissions automatically to the ones defined in the syslog-ng config. By default (here on a Debian Wheezy installation) this means:

# grep 640 /etc/syslog-ng/syslog-ng.conf
      owner("root"); group("adm"); perm(0640); stats_freq(0);

This ownership and permission setting is part of syslog-ng's global configuration. Of course I could just set the permissions to 0644 here. But his means that all log files would be readable by all the users on this application server. Some logs contain sensitive information so I wouldn't like to just grant read access to everyone.

Instead the permissions can also be set in syslog-ng's "destination" option. For /var/log/mail.log this is the default setting:

# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log"); };

For this destination d_mail I want to create special file permissions:

# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log" perm(0644)); };

Followed by a syslog-ng restart:

# /etc/init.d/syslog-ng restart
[ ok ] Stopping system logging: syslog-ng.
[ ok ] Starting system logging: syslog-ng.

Checking the log's file permissions again:

# ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log

Hmm... the permissions are still the same?! Oh, wait... maybe syslog-ng needs to actually receive something from the mail log facility in order to reset the permissions? Let's try that:

# echo "testmail" | mailx -s test root

Checking again:

# ll /var/log/mail.log
-rw-r--r-- 1 root adm 113261 Jun 27 10:55 /var/log/mail.log

Yep, that's it!

Add a comment

Show form to leave a comment

Comments (newest first)

pingu from wrote on Mar 6th, 2023:

Thank you so much! It helped me out!

cm-shg from DE-NRW wrote on Nov 13th, 2020:

very helpful

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder