On Thu 2019-08-29 15:23:07 +0000, Dmitry Bogatov wrote: > Thank you. I wasn't aware of such problems.
Thanks for the quick response, Dmitry.
> Then I plan to change script to following:
>
> 1 #!/bin/sh
> 2 chown runit-log:adm '/var/log/runit/tor'
> 3 chmod 750 '/var/log/runit/tor'
> 4 umask 0022
> 5 exec chpst -u runit-log svlogd -tt '/var/log/runit/tor'
>
> The idea is that since /var/log/runit/tor is 750, log files actually can
> only be read by group=adm, even though their permission is 644.
This looks reasonable and correct to me. I think you can even omit the
"umask 0022" part on line 4: svlogd uses openat() to open its "current"
file with mode 0600 initially, so there's no race condition that leaves
a window where the "current" file will get automatically opened with
too-loose permissions.
Looking at svlogd, it appears that after opening, it deliberately uses
fchmod() to set the mode of "current" to 0644 (and it also sets the
rotated-out file to 0755 at rotation time, i don't know why rotated-out
files are marked executable!). But that suggests that the old line 4
"chmod" action didn't do what you wanted it to do anyway, at least with
respect to newly-logged data. (i don't know why svlogd is so aggressive
about ensuring that the files it writes to are world-readable, but
that's probably a separate topic.
> Is it okay? Or it opens door for some other tricks, that would allow log
> reading by non :adm users? Or some other problems?
i don't see any other problems with it! while that doesn't mean it's
problem-free, i think it's an improvement :)
--dkg
signature.asc
Description: PGP signature
