Dryusdan
commented
6 years ago The perm is not writed by ssh process ? Else you can add all user on ssh group, make 720 permission (denied read of group) or 760 :)
Open anazmy opened 6 years ago
Dryusdan
commented
6 years ago The perm is not writed by ssh process ? Else you can add all user on ssh group, make 720 permission (denied read of group) or 760 :)
anazmy
commented
6 years ago Hey @Dryusdan I think there are various options. Exploring what are the best ones.
Dryusdan
commented
6 years ago Hey o/ There are lot of option :) Daemon who write logs, user group... :) Good research :)
anazmy
commented
6 years ago Combining something similar to:
facility = logging.handlers.SysLogHandler.LOG_LOCAL6
syslog = logging.handlers.SysLogHandler(address='/dev/log',facility=facility)
syslog.setFormatter(logging.Formatter('Aker: %(module)s %(levelname)s - %(message)s'))
logging.root.addHandler(syslog)
logging.root.setLevel(config.log_level)With simple syslog config might be helpful.
anazmy
commented
6 years ago Testing the below combination, I think it provides needed separation with minimal intervention.
mkdir /var/log/aker
chmod 777 /var/log/aker/
setfacl -Rd -m o::rwX /var/log/aker/
touch /var/log/aker/aker.log
chmod 640 /var/log/aker/aker.log I never seen setfacl command :sweat_smile:
Question, when user connect, it's execute aker, so /var/log/aker/aker.log can write with lot of user, so I think 640 is not good :thinking:
What do you think?
anazmy
commented
6 years ago Well in this test I'm using syslog facilities instead, so that will not be a problem as users are not actually writing directly to aker.log. Plus users will have separate log dirs for their sessions output, like below:
# ls -altr /var/log/aker/20180820/
total 8
drwxrwxrwx+ 3 root root 38 Aug 20 21:53 ..
drwxr-x---+ 2 jsmith jsmith 4096 Aug 20 21:53 jsmith
drwxrwxrwx+ 4 jsmith jsmith 34 Aug 20 21:53 .
drwxr-x---+ 2 anazmy anazmy 4096 Aug 20 21:53 anazmy
Explore options to drop the need for 777 perms.