Search code examples
linuxfile-permissionsrsyslog

Try to specify file permissions using Output Channels in syslog

I'm trying to use syslog with output channels to create some log files and I need them to have specific owners and permissions

Within the /etc/rsyslog I'm writing the following:

$umask 0027
$FileGroup the-mothers-of-invention

$outchannel rotate1,/path/mylog.log, 10000000,/path/my-rotate-script.sh /path mylog 99 .log 10000000

$template myTemplate,"%timegenerated:1:23:date-rfc3339%+%timegenerated:28:36:date-rfc3339% %syslogpriority-text:1:2:uppercase%hostname%:%msg%\n"


if $app-name == 'MYAPP' then {
    *.*  :omfile:$rotate1;myTemplate
    stop
    }

With this configuration, I see the first mylog.log file is created with permission 640 and groupID the-mothers-of-invention, but after reaching the 10mb, the script is correctly executed (I used the mv command) and I see the file mylog__.log is created and it inherits the owner and permissions from the original mylog.log file (so far, everything ok), but, when the new mylog.log file is automatically created by syslog, it is created with the default owner (root:root) and permissions (644).

I've been reading a lot of information & manuals (the rsyslog ones), but I don't see any information on combining the permissions change and the output channels.

Any guess?

Thanks!

Solution

  • The $FileCreateMode parameter allows to specify the creation mode with which rsyslogd creates new files. It lets rsyslog create files with read and write access only for the users it runs under.

    First, remove any restrictions for rsyslog:

    $umask 0000

    Then you can set the creation mode:

    $FileCreateMode 0600
*.* /var/log/file-with-0600
$FileCreateMode 0644
*.* /var/log/file-with-0644

    If there is a listener who must bind to a network port below 1024, rsyslogd always needs to start up as root. For example, the UDP listener usually needs to listen to 514 and as such rsyslogd needs to start up as root.

    This means if you have any listener as described above, you can't change the fileowner - atleast if you're creating a file with rsyslog.

    If that's not the case, you can use the $PrivDropToGroup and/or $PrivDropToUser config params to specify a group and/or user that rsyslogd should drop to after initialization.

    # These may require root privilege
$FileOwner syslog
$FileGroup adm
$PrivDropToUser syslog
$PrivDropToGroup syslog