cvs commit: src/usr.sbin/syslogd syslogd.8 syslogd.c

Garance A Drosehn gad at FreeBSD.org
Tue Mar 7 11:09:33 PST 2006 

At 9:14 AM +0100 3/7/06, Pawel Jakub Dawidek wrote:
>On Mon, Mar 06, 2006 at 12:08:08PM -0500, John Baldwin wrote:
>+> Did you know about the -C option to newsyslog?  newsyslog is a
>+> better tool for creating the log files since its config file
>+> can specify permissions (owner, group, chmod).
>
>I agree, but I didn't removed this functionality from the
>newsyslog(8).  I wanted to have this simple functionality
>in syslogd(8) for a few small reasons:
>
>- I don't really buy that not creating log files is a security
>   feature.

Creating them with the wrong group, wrong chmod bits, or not
including 'nosave' on logfiles which are expected to be
'nosave' might be a problem.

>- You don't always want newsyslog(8) (eg. on a embedded system).

You don't want to rotate logfiles on an embedded system?

>- Its more handy to add new log file and just restart syslogd
>   without any errors, instead of editing newsyslog.conf,
>   executing newsyslogd -C and then restarting syslogd.

To use this new syslogd feature, you're going to have to add
that '-C' flag somewhere.  And in /etc/defaults/rc.conf, we
already have:

newsyslog_enable="YES"  # Run newsyslog at startup.
newsyslog_flags="-CN"   # Newsyslog flags to create marked files

All you need to do is add a second '-C' to those newsyslog_flags,
and newsyslog will automatically create all log files which do
not exist.  And if you're adding a new logfile to /etc/syslog.conf,
then it seems to is very likely that you will also want to add a
line to newsyslog.conf to rotate that log file.

>It still would be handy to tell newsyslogd(8) to always
>correct owner and permission (which it doesn't do
>currently, AFAIK) - root:wheel 0600 should be safe default
>for a log file in the meantime.

I believe newsyslog will correct those the next time it rotates
the logfile.  I'm not sure it should add code to fix files that
are wrong only because some operation other than newsyslog
created the file, but I suspect it would be easy enough to add
that if people really think it is important.

-- 
Garance Alistair Drosehn     =      gad at gilead.netel.rpi.edu
Senior Systems Programmer               or   gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA

More information about the cvs-src mailing list