custom log files location and permissions

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
afora
Level 3
Level 3
Posts: 164
Joined: Mon Aug 26, 2019 7:35 pm

custom log files location and permissions

Post by afora »

i have an unattended sudo script which I implemented with sudoer which runs silently under the currently logged in user.

I would like to save sout and serr to custom rooted log files which could be reviewed or emailed on demand. Now my dilemma is:
  • If log files are saved under some expected location of say /var/logs, they will be owned by root. Which creates an additional layer of complexity I do not know how to resolve - because the operand > will not work where sudo is required. The alternative is to allow the tee command to run under sudo passwordless, but this is not a very secure solution for obvious reasons.
  • The other alternative is to save logs as user owned files. This is also not ideal from the security point of view + it would be great not to replicate the functional areas which already exist such as /var/logs.
Can anybody recommend a possible structural solution to this? How do seasoned system administrators handle this? I may be missing other possibilities, so any feedback would be appreciated.

Thank you!

ciniset
Level 2
Level 2
Posts: 64
Joined: Thu Dec 28, 2017 10:14 am

Re: custom log files location and permissions

Post by ciniset »

let's say you want to output something in /var/log.
if you'll say:

Code: Select all

sudo echo "test" > /var/log/test.log
you will get the error

Code: Select all

bash: /var/log/test.log: Permission denied
pretty obvious why. But if you will say:

Code: Select all

sudo sh -c 'echo "test" > /var/log/test.log'
things are ok :) so adapt your script as needed.

afora
Level 3
Level 3
Posts: 164
Joined: Mon Aug 26, 2019 7:35 pm

Re: custom log files location and permissions

Post by afora »

thanks ciniset, I was kind of thinking about the same approach.

What I was not very clear about is any security implications if I used sudo sh -c when using passwordless with sudoer. Am I correct thinking that if I wanted to get the above echo command to sudoer, i'd have to grant passwordless rights to the whole sh?

Code: Select all

user123 ALL = (ALL) NOPASSWD: sh
That would be quite extreme security wise, or am I missing something?

ciniset
Level 2
Level 2
Posts: 64
Joined: Thu Dec 28, 2017 10:14 am

Re: custom log files location and permissions

Post by ciniset »

put in /etc/sudoers

Code: Select all

user123 ALL = (ALL) NOPASSWD: /usr/local/bin/zzztest
and in /usr/local/bin/zzztest put

Code: Select all

sh -c 'echo "test" > /var/log/test.log'
you will than call with

Code: Select all

sudo zzztest
:)

Post Reply

Return to “Newbie Questions”