Give access to /var/log/messages to non-root user

Sometimes while debugging our projects, our developers need to check /var/log/messages for some messages that are being syslogged instead of going to the application logs.

To prevent accidental changes on our servers, developers don’t have root access (that is limited to sys admins) and from time to time sys admins get requests to check /var/log/messages to verify if there are some messages there that could help identify a problem that is occurring.

Using ACLs we were able to give access to /var/log/messages to the ‘users’ group (where all developers belong).

The steps required were:

  • Ensure the filesystems are mounted with acl option.

/etc/fstab was like this before changing:

1
2
3
4
5
6
LABEL=/ / ext4 defaults,noatime 1 1
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/sda3 none swap sw,comment=cloudconfig 0 0

We need to add acl option after noatime to be:

1
2
3
4
5
6
LABEL=/ / ext4 defaults,noatime,acl 1 1
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/sda3 none swap sw,comment=cloudconfig 0 0

After doing this change we just need to remount the / filesystem

1
mount -o remount /
  • Give access to the file using ACL for users group
1
/usr/bin/setfacl -m g:users:r /var/log/messages
  • Add a postrotate script to /etc/logrotate.conf to ensure we give the same ACL access after /var/log/messages is rotated. We just need to add the following to /etc/logrotate.conf:
1
2
3
4
# Give access to /var/log/messages to 'users' group after rotate
postrotate
/usr/bin/setfacl -m g:users:r /var/log/messages
endscript

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>