The application runs as root, creating logs that should be readable
I have this problem and would like to see the best practices in the industry.
I am writing software using an open source log library. One of the features of this library is the ability to create rotating log files. For example, if the maximum log size is 2 GB, then when the limit is reached, a new file is created and the old one is renamed.
My application needs to be running as root as it requires access to lower range port numbers. As a consequence, the logs generated by the application can only be read by the root user.
I would like the logs to be readable by any user, not just the root user. How can I achieve this? Is there an industry standard to address this problem?
source to share
You can grant administrator privileges that are independent of the root process - as an option to bind to privileged ports. It is much safer than an all-or-nothing approach to simply running the application as a user root
and is considered the best solution.
In this case, you would like to give him the opportunity CAP_NET_BIND_SERVICE
. This answer is a good starting point for how to do this.
There are two main ways to do this:
- Create a wrapper
setuid
that runs as root and omits all options except those you need, and then theexec
actual program - Use
setcap
to install the capabilities of an executable on one system.
For more information about the features, run the following command from Linux terminal
$ man 7 capabilities
or visit this site: http://linux.die.net/man/7/capabilities
source to share
On a Unix-like operating system, the umask process controls the permissions for newly created files.
Your process appears to have set its umask to 077
(or similar), causing the group and others to not have any permissions. The standard fix would be to use a less restrictive umask, for example 022
(group and others cannot write, but can read and execute if necessary).
Note that changing your umask can have unwanted side effects: if you want the files generated by your application to be read-only as root, then you need to figure out how to set a less restrictive umask when registering, and set a more restrictive umask when creating other files. For more information on umasks see Wikipedia or this question on Ask Ubuntu .
Other, more complex resolution solutions are possible. For example:
- You can start the process as root, bind to low-numbered ports, and then remove permissions (assuming you don't need to bind to additional ports after initialization).
- You should use setfacl to set the default ACL to the logfiles directory giving read permissions to whoever you need, in addition to any permissions granted by standard user / group / others.
But checking your umask is the place to start.
source to share