Guys I need your help, I can access my syslog with my normal user, permissions are messed up

tuxthegreat · 11-24-2023, 06:53 AM

I did

Code:

ls -l /var/log/syslog

and got the result

Code:

-rw-r--r-- 1 syslog adm 198407 Nov 24 13:30 /var/log/syslog

Now I know that that extra r at the end shouldn't be there, how can I fix my permissions so that only root can access my syslog? Because as of right now I can

Code:

 cat /var/log/syslog

without root password and it's driving me nuts.

My system specs are as follows. Ubutu mate 16.04 with esm updates until 2024. My kernel is

Code:

 uname -r 6.5.12-x64v1-xanmod1

jayjwa · 11-24-2023, 08:13 AM

Code:

chmod 640 /var/log/syslog

Make sure whatever is rotating your logs is setting it correctly as well or it will go back to whatever it is set as.

tuxthegreat · 11-24-2023, 11:05 AM

Quote:

Originally Posted by jayjwa

Code:

chmod 640 /var/log/syslog

Make sure whatever is rotating your logs is setting it correctly as well or it will go back to whatever it is set as.

Hey it worked, I got permission denied. now let's hope that I didn't break syslog and the OS won't have a place to put it's syslog complaints. I am crossing my flippers.

lvm_ · 11-24-2023, 11:17 AM

Quote:

Originally Posted by tuxthegreat

how can I fix my permissions so that only root can access my syslog? Because as of right now I can without root password and it's driving me nuts.

Why? There is no explicit security information in syslog. If it falls into the wrong hands, the worst that can happen is that it will provide some information about the system configuration which may be helpful when probing for weaknesses and vulnerabilities but, as it is usually done by automated metasploit scanning, not by careful perusing of the logs and picking individual opportunities, your logs are useless for hackers. Don't bother. BTW the default access settings for syslog is not just root, but root and all users in the group adm.

tuxthegreat · 11-24-2023, 04:49 PM

Quote:

Originally Posted by lvm_

Why? There is no explicit security information in syslog. If it falls into the wrong hands, the worst that can happen is that it will provide some information about the system configuration which may be helpful when probing for weaknesses and vulnerabilities but, as it is usually done by automated metasploit scanning, not by careful perusing of the logs and picking individual opportunities, your logs are useless for hackers. Don't bother. BTW the default access settings for syslog is not just root, but root and all users in the group adm.

I wasn't aware, thank you for telling me this information, it is really helpful.

tuxthegreat · 11-25-2023, 06:25 AM

Quote:

Originally Posted by jayjwa

Code:

chmod 640 /var/log/syslog

Make sure whatever is rotating your logs is setting it correctly as well or it will go back to whatever it is set as.

How would I go about checking my log rotating and set it correctly? Here are my /etc/logrotate.d/rsyslog config file

Code:

/etc/logrotate.d# cat rsyslog
/var/log/syslog
{
	rotate 7
        size=50M
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate >/dev/null
	endscript
}

And here is my /etc/logrotate.conf file

Code:

 cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
su root syslog

# keep 4 weeks worth of backlogs
rotate 4

# restrict maximum size of log files
size 250M

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1
}

# system-specific logs may be configured here

Do you see anything in there that would effect my syslog from changing permission to user again after the next rotation ?

jayjwa · 11-25-2023, 12:36 PM

The umask of whoever is running logrotate might set it back 644 after rotation. You could chmod in the post rotate section of the syslog stanza if that happens. That's kind of hacky, and you might want to study/learn logrotate from its manpage if you want to do more fancy things than the default for your system.

jmgibson1981 · 11-25-2023, 01:13 PM

Are you running Ubuntu? One of the default user groups is adm. If your user is in that group then you have read permissions as you showed. To remove that just remove yourself from the group. Much better choice than messing with permissions outside of your home folder.

Code:

-rw-r--r-- 1 syslog adm 198407 Nov 24 13:30 /var/log/syslog

tuxthegreat · 11-25-2023, 02:24 PM

Quote:

Originally Posted by jmgibson1981

Are you running Ubuntu? One of the default user groups is adm. If your user is in that group then you have read permissions as you showed. To remove that just remove yourself from the group. Much better choice than messing with permissions outside of your home folder.

Code:

-rw-r--r-- 1 syslog adm 198407 Nov 24 13:30 /var/log/syslog

Ok I looked up removing groups and here is what I got

Code:

~# groups tuxthegreat
tuxkthegreat : tuxthegreat sudo deluge

Is this the group I want to edit or is it a different group, why is deluge in that group, I will remove deluge from the group by doing

Code:

 usermod -G tuxthegreat,sudo tuxthegreat
root@tuxthegreat:~# groups tuxthegreat
tuxthegreat : tuxthegreat sudo

Now deluge is gone from the group, are there any other groups I should edit? Is there a groups -list command or something of that nature? This is very helpful as I am going to attempt to install LFS in the upcoming weeks.

chrism01 · 11-27-2023, 11:53 PM

You're using the word 'group' wrong there..

What you mean is 'deluge' in the list of groups your user is in.

The list of all avail groups (on a locally adminned machine) is /etc/group.

HTH

hazel · 11-28-2023, 12:24 AM

Quote:

Originally Posted by tuxthegreat

This is very helpful as I am going to attempt to install LFS in the upcoming weeks.

When you build LFS, you create a special LFS user first to do the job, and then construct a standard environment for them, precisely so that you don't carry over any weirdness from your distro's default environment.