We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Access to logs via sudo

Steven Vona
Steven Vona asked
on
Medium Priority
555 Views
Last Modified: 2012-06-27
I have a log server that collects logs from all the cisco devices on our network.  The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.

drwx------ 65 root root   4096 Apr 29 7:38 rsyslog

Open in new window


The cisco folks are requesting access to these logs, which is allowed by company policy.  Now here is where it gets complicated.  I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

So I was thinking, is there anyway I can give them access through sudo?  I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?

Comment
Watch Question

CERTIFIED EXPERT

Commented:
maybe you could set up ftp and lock them in that directory.
CERTIFIED EXPERT

Commented:
something like sudo ftp but not sure you can keep a root user in a folder.
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT

Author

Commented:
@woolmikporc

I am not all that familiar with extended ACLs, but if I remember correctly it causes problems if ACLs are on the root filesystem, which is where the /var/log/rsyslog directory exists.
# cat /etc/fstab
/dev/VG0/LV0            /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VG0/LV1            swap                    swap    defaults        0 0

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VG0-LV0    62G  5.4G   54G  10% /
/dev/sda1              99M   27M   68M  29% /boot
tmpfs                1005M     0 1005M   0% /dev/shm

Open in new window

CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT

Author

Commented:
It is RHEL 5.

I understand your comments about the /var filesystem, but this machine was handed down to me, and my hands are tied with most changes like that until the machine needs to be rebuilt or there is a tech refresh.  Basically they will say it's not broke don't fix it. :)

CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT

Author

Commented:
Thanks for your help, I have added the options and remounted.  I have also set the acl to allow read permissions to the directory:


drw-r-----+ 65 root root   4096 Apr 29 10:38 rsyslog

Open in new window


Is there a way to make this recursive?  Also what if a new directory was created inside rsyslog, is there a way to allow it to inherit the acl from the parent directory?

I am asking this since there are 50+ directories under /var/log/rsyslog and we are often adding new devices which creates a new directory in /var/log/rsyslog

CERTIFIED EXPERT

Author

Commented:
So I figured out how to make it recursive, how about the inherit part? Any ideas?
CERTIFIED EXPERT

Author

Commented:
This doesnt seem to be working, I have r-- permissions to the user on /var/log/rsyslog and everything inside that directory and they still can not change to that directory, permission denied.
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
OK, use

"rx" instead of "r" alone in "setfacl".
CERTIFIED EXPERT

Author

Commented:
Same results...

# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---

Open in new window



[test@logserv ~]$ cd /var/log/rsyslog 
-bash: cd: /var/log/rsyslog: Permission denied

Open in new window

Commented:
Another option might be that you set up another throwaway box for use just by the Cisco folks where they would also have the root password and rsync the logs over to that box.
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013

Commented:
/var and /var/log need rx as well!
CERTIFIED EXPERT

Author

Commented:
Yep, that did it.  

But now one more question needs to be answered, not that you havent helped me enough already.

is there a way to have anything created under rsyslog to inherit the acl?  For example if we add another cisco device which would create a new directory in /var/log/rsyslog, would I have to go and add the acl again? or is there a way to have the new directory inherit the acl from its parent directory?

CERTIFIED EXPERT

Author

Commented:
Hmm, also a new log is created every day for every device, will this file need the acl updated as well?
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.