By default, /var/log/messages file can be accessed only by super user(root). The ordinary user does not even have read permission for this file.
# ls -l /var/log/messages
-rw------- 1 root root 658711 Apr 14 05:52 /var/log/messages
So how to enable read permission for an ordinary user, say xyz, for the file /var/log/messages?
Access Control Lists(acl) comes to the aid by allowing us to provide different levels of access to files and directories.
How to enable acl for Linux filesystem?
1) Install command line tool, acl, first. This package has Access Control List utilities.
# yum install acl
2) Mount the partition with acl option enabled. Edit /etc/fstab as follows
UUID=fffff7aa-57b8-40aa-baa4-588c4eff7651 / ext4 defaults,acl 1 1
3) Reboot the system for mount options to take effect.
Enable read access for user xyz for the file /var/log/messages
1) setfacl - Sets file access control list.
# setfacl -m u:xyz:r /var/log/messages
2) Check the new file permissions for /var/log/messages
# ls -l /var/log/messages
-rw-r-----+ 1 root root 658711 Apr 14 05:52 /var/log/messages
Observe that now a + is observed at the end of file permissions.
3) Verify the access permissions for the file /var/log/messages using getfacl command
getfacl - Get file access control list
# getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: root
user::rw-
user:xyz:r--
group::---
mask::r--
other::---
this works until a new file is generated. blame on logrotate.
ReplyDelete