RHEL how to access /var/log files

We have RHEL servers and root has access to /var/log
I want to give access to USER_A
The point is that these in "circular" mode so when theyget recreated , USER_A doesnt have access to these files any more.

How can i correct this issue ?  Any input would be appreciated.
c_hocklandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frosty555Commented:
The behavior of the logfiles permissions is controlled by logrotate, it is NOT governed by the syslog service as you might otherwise be inclined to think. Syslog uses whatever permissions already happen to be set on the logfile, it's up to you (or, in this case, up to logrotate) to actually create the file with the appropriate permissions.

Logrotate is configured by the files in /etc/logrotate.d/, or if that doesn't exist, by the config file /etc/logrotate.conf.

This configuration is where you tell logrotate how to behave for different log files - what the permissions for the new logfile should be, how often it is rotated, what happens when the file is empty, whether to compress the logfile when rotating etc...

Read the man page for logrotate:

http://linux.die.net/man/8/logrotate

And look at some of the existing conf files on your system to get an idea for how your logs are being rotated.

In my case, I have a custom application running on my server which saves to the logfile "/var/log/myapp.log". I want that log to rotate, and that log file to be readable by users other than root - very similar situation as yours.

So, I have a file /etc/logrotate.d/myapp, which contains the following:

/var/log/myapp.log {
    weekly
    notifempty
    missingok
    create 0644 root root
}

Open in new window


This means rotate the log weekly, don't rotate if the logfile is empty, it's not an error condition if the logfile is missing, and after rotating, create the file with 0644 permissions (u=rw,g=r,o=r) and with ownership set to "root:root".

Note that this doesn't affect already existing files in the /var/log directory, you'll have to chmod those files yourself manually.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
woolmilkporcCommented:
This a classic task for "sudo" and "sudoedit".

sudo should be installed by default on your system, so change the sudo configuration like this:

Run

visudo

An editor (probably vim) will open and load the file /etc/sudoers.

Add:

USER_A   ALL = NOPASSWD: sudoedit /var/log/myfile.log

Save the file as usual.

USER_A can now issue

sudoedit /var/log/myfile.log

to edit (vim) the log file with root privileges.

To allow editing all files under /var/log you could add this line instead of the above one:

USER_A   ALL = NOPASSWD: sudoedit /var/log/*

wmp
0
c_hocklandAuthor Commented:
ok , just one variation...they only need read access.
and instead of USER_A it has to be Group_A

so what changes ?

many thanks.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

woolmilkporcCommented:
Specify an existing Unix group like this:

%Group_A   ALL = NOPASSWD: sudoedit /var/log/*

Please note the percent sign!

Granting read access only is not possible with sudoedit, unfortunately.

Do your users need an editor to access the file?
Couldn't "more" (or "less") do the trick?

%Group_A   ALL = NOPASSWD: /usr/bin/less /var/log/*

This solution implies that the respective user must issue

sudo less /var/log/myfile.log

to display the file's contents
0
c_hocklandAuthor Commented:
my Boss doesnt approve of having the users issuing sudo

is there another way to do it l maybe with logrotate or follow another approach to avoid sudo ?
0
woolmilkporcCommented:
Do you use "logrotate" to rotate the files in question?

If so please reread Frosty555's comment above.

The clue is the "create" statement, which defines user/group and permissions of the new original logfile after rotation. You don't have to specify user and group, if it's just for read access specify "create 0644" similar to what's been suggested by Frosty555.

If you don't use logrotate, what do you mean with "circular" mode?
Is there an application which would cycle the logs?

If so, and if you can't change that application's behaviour you could, as a last resort, run a cron job regularly to add "read" permission for "others" to the files in /var/log.

Example crontab entry to allow read access for "others" to all files in /var/log every full hour:

* 0 * * * /usr/bin/chmod o+r /var/log/*

Add the above line to root's crontab by means of "crontab -e"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.