Scenario / Questions

My application requires read access to /var/log/messages, which belongs to user and group root. What is the minimal exposure level required on /var/log/messages so my application can read it?

Presently, my plan is to change the group ownership of /var/log/messages to a new group, and add root and my application user to it, but this would also give the application write privileges to /var/log/messages.

OS: Centos 5.5

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

No need to add root to the group as it will have access via the user privs anyways, just give group read to what ever group you decide. Remember to make the changes with logrotate as well or the group changes will get wiped nightly.

Suggestion: 2

Just to expand a little on the above answers here is a real world use case.
I run the enterprise log analysis application Splunk on a Redhat box. It runs under the splunk user and splunk group. This prevents splunk accessing the logs in /var/log as they are only accessible by root (or a sudo admin)

In order to allow read only access for splunk only I’ve used some ACL’s and modified logrotate to persist it.

You can manually set the ACL with

sudo setfacl -m g:splunk:rx /var/log/messages

This will not persist as logrotate will not re-apply the ACL setting so for a more permanent solution I added a rule to logrotate to reset the ACL.
I added the file..

/etc/logrotate.d/Splunk_ACLs

with

{
    postrotate
        /usr/bin/setfacl -m g:splunk:rx /var/log/cron
        /usr/bin/setfacl -m g:splunk:rx /var/log/maillog
        /usr/bin/setfacl -m g:splunk:rx /var/log/messages
        /usr/bin/setfacl -m g:splunk:rx /var/log/secure
        /usr/bin/setfacl -m g:splunk:rx /var/log/spooler
    endscript
}

Check the ACL status of a file with

$ getfacl /var/log/messages

For more info on ACL’s see
https://help.ubuntu.com/community/FilePermissionsACLs
http://bencane.com/2012/05/27/acl-using-access-control-lists-on-linux/

Suggestion: 3

Your plan is acceptable and in the “traditional” Unix permissions scheme is the best way to go.
Another option is to have syslog divert the messages of interest to another file (which avoids giving the app user access to anything sensitive that may be in /var/log/messages).

If you don’t feel like being bound by the traditional permissions scheme of User/Group/Other you can also use POSIX ACLs (other, possibly better howtos/info available via Google) to give your app user read-only access to /var/log/messages — this is a bit more fine-grained and doesn’t risk accidentally putting someone else in the application’s group and giving them access to things they shouldn’t be able to see.

Suggestion: 4

Yip I’ve used setfacl to do this to give access to the mail.log file for a customer, not you will also need to stick a command in the logrotate.conf file to re-set the ACL after the logs have been rotated eg:

postrotate
         /usr/bin/setfacl -m o::r /var/log/mail.log  
endscript

Note I’ve only just set this up, and have not tested, but though it would post back here, can.t see why it wouldn.t work, someone correct me if I’m wrong.

Suggestion: 5

You can use ACL for this. It allows you to set specific additional access rules for specific users and files.

Suggestion: 6

once you configured your ACL as other people said, instead of put all your acl rules in the postrotate configuration, you can swith logrotate to use copytruncate instead of creating a new log file each time