Home / ubuntu / Questions / 1134403
In Process
most2
Asked: 2019-04-17 07:23:46 +0800 CST

How to grant non-root user access only to /var/log directory

  • 772

I have newly created non-root(normal) user and want to grant access only to /var/log directory so that the user can view and monitor the logs. The user should not be able to cd/ls or access the /etc directory and do anything else apart from viewing files in /var/log. Is this setup possible?

I have tried to use setfacl -m u:user:--- on the /etc directory, but getting the /etc/profile permission denied error when logging in with the user.

How can i achieve this?

security server permissions restricted-access acl

2 Answers

  1. Method 1 :

    Permission to view log files is granted to users being in the group adm.

    sudo usermod -aG adm <USER>

    Method 2 :

    Use logrotate

    logrotate manual

    create mode owner group Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the log file just rotated). mode specifies the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who will own the log file, and group specifies the group the log file will belong to. Any of the log file attributes may be omitted, in which case those attributes for the new file will use the same values as the original log file for the omitted attributes. This option can be disabled using the nocreate option.

    Usage :

    /var/log/messages { .... create 444 user group .... }

    Method 3 :

    Just tail it man! Tail whatever log you need.

    tail -f /var/log/messages.log

    I'll use the 3rd method. Because, I'm lazy. (zzzzzz)

    • 3

  2. Read man journalctl, and add the normal user to the systemd-journal or adm groups.

    Alternatively, you could do it the complicated way:

    While restricting access to other directories is (IMHO) silly, here's how you can grant access to parts of /var/log, by adding the normal user to groups. Read man group;man adduser;man find;man xargs;man stat;man sort;man uniq. Note adding a user to a group will give that user group access everywhere on the system.

    # How many unique permission values are there?
# Note that all but 41 allow some sort of group access
walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%A" | sort | uniq -c | sort -n
[sudo] password for walt: 
      1 drwx------
      1 drwxrwx---
      1 lrwxrwxrwx
      3 drwxr-sr-x
      3 drwxrwxr-x
      3 drwxr-x---
      4 -rw-rw-r--
     13 drwxr-xr-x
     41 -rw-------
     95 -rw-r--r--
    147 -rw-r-----

# What groups are there in /var/log?
walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%G" | sort | uniq -c | sort -n
      1 debci
      1 lp
      1 ntp
      1 syslog
      1 walt
      2 monkeysphere
      2 www-data
      5 utmp
     33 systemd-journal
    107 adm
    158 root

# Look at the owner and group of the log files and consider
# adding the normal user to these groups

walt@bat:~(0)$ sudo find /var/log -print | xargs -r sudo stat -c "%U %G %n" | sort -u
# 312 lines on MY system - not worth posting

# now, about the 41 that don't allow group access:
walt@bat:~(0)$ sudo find /var/log -perm 0600 -ls
   392396      4 -rw-------   1 root     utmp         1536 Mar 22 09:01 /var/log/btmp.1
   391673      4 -rw-------   1 root     utmp          384 Apr  2 00:43 /var/log/btmp
   394821      0 -rw-------   1 root     root            0 Mar  1  2018 /var/log/dbconfig-common/dbc.log
   424051      4 -rw-------   1 root     root          457 Feb  6  2018 /var/log/dbconfig-common/dbc.log.1
   522427      4 -rw-------   1 root     root         3149 Apr  3 09:04 /var/log/lightdm/seat0-greeter.log.3.gz
   523533      4 -rw-------   1 root     root          828 Feb 17 00:08 /var/log/lightdm/x-1.log.7.gz
   531112      0 -rw-------   1 root     root            0 Apr 14 07:36 /var/log/lightdm/seat0-greeter.log
   522345      4 -rw-------   1 root     root         1002 Apr  2 07:35 /var/log/lightdm/lightdm.log.6.gz
   524257      0 -rw-------   1 root     root            0 Mar 23 08:55 /var/log/lightdm/x-1.log
   523434      4 -rw-------   1 root     root          663 Mar 29 00:50 /var/log/lightdm/x-0.log.7.gz
   527110      4 -rw-------   1 root     root          809 Feb 17 16:19 /var/log/lightdm/x-1.log.6.gz
   523997      4 -rw-------   1 root     root         1402 Apr  2 00:58 /var/log/lightdm/seat0-greeter.log.4.gz
   523443      4 -rw-------   1 root     root         1358 Mar 29 00:55 /var/log/lightdm/lightdm.log.7.gz
   523486      4 -rw-------   1 root     root          206 Apr  6 07:35 /var/log/lightdm/lightdm.log.3.gz
   523363      4 -rw-------   1 root     root         2481 Apr  3 09:14 /var/log/lightdm/lightdm.log.5.gz
   522228      4 -rw-------   1 root     root         2303 Apr  5 10:46 /var/log/lightdm/seat0-greeter.log.2.gz
   527032      4 -rw-------   1 root     root          778 Mar 21 00:49 /var/log/lightdm/x-1.log.3.gz
   523128      4 -rw-------   1 root     root          662 Mar  6 00:15 /var/log/lightdm/x-1.log.5.gz
   524005      4 -rw-------   1 root     root          169 Apr  8 07:35 /var/log/lightdm/lightdm.log.2.gz
   523528      4 -rw-------   1 root     root         1842 Mar 29 00:50 /var/log/lightdm/seat0-greeter.log.5.gz
   522698      4 -rw-------   1 root     root          738 Apr  2 00:58 /var/log/lightdm/x-0.log.6.gz
   523317      4 -rw-------   1 root     root          737 Apr 13 10:07 /var/log/lightdm/x-0.log.1.gz
   523446      4 -rw-------   1 root     root         1231 Apr 14 07:35 /var/log/lightdm/lightdm.log.1.gz
   531103      0 -rw-------   1 root     root            0 Apr 14 07:36 /var/log/lightdm/x-0.log
   523440      4 -rw-------   1 root     root          854 Mar 22 21:57 /var/log/lightdm/x-1.log.1.gz
   522511      4 -rw-------   1 root     root         1801 Mar 28 09:57 /var/log/lightdm/seat0-greeter.log.6.gz
   522497      4 -rw-------   1 root     root          738 Apr  3 09:04 /var/log/lightdm/x-0.log.5.gz
   523402      4 -rw-------   1 root     root           70 Apr  6 00:41 /var/log/lightdm/x-0.log.3.gz
   531094      0 -rw-------   1 root     root            0 Apr 14 07:36 /var/log/lightdm/lightdm.log
   523394      4 -rw-------   1 root     root         1984 Apr  5 10:51 /var/log/lightdm/lightdm.log.4.gz
   523445      4 -rw-------   1 root     root          913 Mar 21 20:45 /var/log/lightdm/x-1.log.2.gz
   522927      4 -rw-------   1 root     root           67 Apr  7 22:08 /var/log/lightdm/x-0.log.2.gz
   523821      4 -rw-------   1 root     root         2017 Mar 26 01:46 /var/log/lightdm/seat0-greeter.log.7.gz
   522883      4 -rw-------   1 root     root         1965 Apr 13 12:49 /var/log/lightdm/seat0-greeter.log.1.gz
   523403      4 -rw-------   1 root     root          800 Mar  6 23:46 /var/log/lightdm/x-1.log.4.gz
   522648      4 -rw-------   1 root     root          771 Apr  5 10:46 /var/log/lightdm/x-0.log.4.gz
   406444    324 -rw-------   1 syslog   adm        331656 Jan 29  2018 /var/log/installer/syslog
   406446      4 -rw-------   1 root     root           19 Jan 29  2018 /var/log/installer/version
   406447      4 -rw-------   1 root     root         1067 Jan 29  2018 /var/log/installer/casper.log
   406448      8 -rw-------   1 root     root         7110 Jan 29  2018 /var/log/installer/debug
   406445    768 -rw-------   1 root     root       785438 Jan 29  2018 /var/log/installer/partman
walt@bat:~(0)$
    • 1