What is the most secure way to allow a user read access to a log file?

Solution 1:

Just to expand a little on the above answers here is a real world use case. I run the enterprise log analysis application Splunk on a Redhat box. It runs under the splunk user and splunk group. This prevents splunk accessing the logs in /var/log as they are only accessible by root (or a sudo admin)

In order to allow read only access for splunk only I've used some ACL's and modified logrotate to persist it.

You can manually set the ACL with

sudo setfacl -m g:splunk:rx /var/log/messages

This will not persist as logrotate will not re-apply the ACL setting so for a more permanent solution I added a rule to logrotate to reset the ACL. I added the file..



        /usr/bin/setfacl -m g:splunk:rx /var/log/cron
        /usr/bin/setfacl -m g:splunk:rx /var/log/maillog
        /usr/bin/setfacl -m g:splunk:rx /var/log/messages
        /usr/bin/setfacl -m g:splunk:rx /var/log/secure
        /usr/bin/setfacl -m g:splunk:rx /var/log/spooler

Check the ACL status of a file with

$ getfacl /var/log/messages

For more info on ACL's see https://help.ubuntu.com/community/FilePermissionsACLs http://bencane.com/2012/05/27/acl-using-access-control-lists-on-linux/

Solution 2:

No need to add root to the group as it will have access via the user privs anyways, just give group read to what ever group you decide. Remember to make the changes with logrotate as well or the group changes will get wiped nightly.

Solution 3:

Your plan is acceptable and in the "traditional" Unix permissions scheme is the best way to go.
Another option is to have syslog divert the messages of interest to another file (which avoids giving the app user access to anything sensitive that may be in /var/log/messages).

If you don't feel like being bound by the traditional permissions scheme of User/Group/Other you can also use POSIX ACLs (other, possibly better howtos/info available via Google) to give your app user read-only access to /var/log/messages -- this is a bit more fine-grained and doesn't risk accidentally putting someone else in the application's group and giving them access to things they shouldn't be able to see.

Solution 4:

Yip I've used setfacl to do this to give access to the mail.log file for a customer, not you will also need to stick a command in the logrotate.conf file to re-set the ACL after the logs have been rotated eg:

         /usr/bin/setfacl -m o::r /var/log/mail.log  

Note I've only just set this up, and have not tested, but though it would post back here, can.t see why it wouldn.t work, someone correct me if I'm wrong.