Group ownership of /var/log/syslog

UCS - Univention Corporate Server
#1

Hello,
We are attempting to allow multiple users to have read only access to /var/log/syslog. All the users are in an AD/LDAP group called “DC Backup Hosts”. We can manually chgrp the file to “DC Backup Hosts”, but it is getting overwritten every night when logrotate runs. I have attempted changing the permissions in the /etc/univention/templates/files/etc/resolv.conf file and restarted rsylog, but that didn’t work. When I look at the /etc/univention/templaets/files/logrotate.conf, it is setting the log files to 640 root adm. Since this variable is in the UCR I have tried changing the logrotate/create variable to 640 root DC Backup Hosts, 640 root “DC Backup Hosts”, 640 root 'DC Backup Hosts", 640 root dc_backup_hosts. Anything with a space in it fails because I am giving too many arguments to the create command. Anything all one word fails with an unknown group.

I think my issue is that the DC Backup Hosts group is an AD group and not defined on the local system in /etc/groups. But then I don’t understand how it works when we manually change it, except we are using the chmod and chgrp commands instead of the logrotate cron job.

#2

Hey,

first of all, logrotate doesn’t support group names with spaces at the moment. So don’t try to do that. Use a different group instead.

Why are you placing users in a group used for machines? That doesn’t make a lot of sense to me. Note that this also widens access in unexpected ways. For example, the SSL certificates and their private keys in /etc/univention/ssl (which amounts to all SSL certificates for the whole UCS domain) are readable for members of the DC Backup Hosts group so that DC Backup machines can copy the certificates from the DC Master.

Don’t do that.

Why do you think that /etc/resolv.conf (and therefore the template it’s generated from) has anything to do with rsyslog? resolv.conf is used for configuring DNS resolution.

No, that’s completely unrelated. logrotate doesn’t search groups directly in /etc/group, it uses the default NSS (Name Service Switching) system. That is configured via /etc/nsswitch.conf. On a UCS system this means that group names are looked up in LDAP, too. You can use an LDAP group in logrotate, just not one with spaces in its name because, as I said, logrotate doesn’t support spaces in group names.

Kind regards,
mosu

Mastodon