log files

I have a file called /var/log/secure. I have changed the permissions to 640 however, every morning it changes back to 644. I checked the logrotate config and that is also set at 640. What is the problem here?
Raymond BarberSenior Linux Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CarsonComputer TechnicianCommented:
Is there anything being run every morning via cron that could be causing it?
Within logrotate when it rotates, do you have it set the permissions to create the file if not, the permissions are set when the first event is sent to syslog/rsyslog or ssh creates the file at which the unmask settings which are commonly 022 is what results in the new files permission settings.
Have you given thought to setting the permission on the log to 751 or 750?
nociSoftware EngineerCommented:
@arnold, why would the x bit be needed? Do like the files to be executable?
For files the default create mask = 666 with umask 022 => 644.

Setting umask to 026 in the startupscript of the syslog daemon would solve the issue.  from that side
Otherwise explicitely creating the file from logrotate with touch, and then chmodding them to 640 BEFORE restarting syslog daemon may help as well.
the x bit set I recommended is on the directory log (should have made it clearer using full path ....) not on the file.
logrotate has the create mode owner group file directive that is preferred to touch since touch would follow umask rules.

i.e. create 0600 root group, which will create the file being rotated not sure why would you want to grant a group access to the /var/log/secure file?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Raymond BarberSenior Linux Systems EngineerAuthor Commented:
Thanks Arnold. As a part of our global policy I need to have the file structure set this way. I am not a fan just following the rules. Thanks for the feedback much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.