Read only permissions on some Linux logs


I would like to limit a certain user (let's call it logger) to be able to only read some (not all) logfile (web, php framework, radius,etc).I am not sure how to do it the "best" way.

So far I have a chrooted sftp account for my user and I bind mount into his homedir (/home/logger) the required log folders, eg :

/var/log/nginx /home/logger/logs/nginx none _netdev,bind,defaults 0 0

and here is the lgos dir permissions :

dr-xr–r– 5 logger logger 4096 mars 12 10:09 logs

However I had to add this user to certain groups (www-data, freerad).

logger : logger www-data freerad sftp

I don't think this is the proper way to do it. Moreover, user can delete some files (the www-data group has r+w permissions on the logs from the symfony app).

Ideally, I wish my user to have the least possible privileges (which means RO, I believe), and still be able to review all the logs he requires access to.

Can you please give me some hints on how you would do such a thing?

Thanks in advance.

EDIT : Following Arribah answer I have tried to use ACL, eg:

getfacl radius/radius.log

# file: radius/radius.log
# owner: freerad
# group: freerad

logger user is inside logger group:

groups logger

logger : logger sftp

I created a radius dir (in /home/logger):

drwxr-xr-x 2 root root 4096 mars 16 14:29 radius

Then I used some symbolic linking:

lrwxrwxrwx 1 root root 30 mars 16 14:29 radius/radius.log -> /var/log/freeradius/radius.log

Now I try to log via SFTP with logger to his chrooted homedir:

I can see files and folders and folders names, however if i try to get a file I have a "file not found" error trying to get that file radius/radius.log

I am really feeling stupid with this issue. :/

Best Answer

If you provide read permission for the user to the logs directory, this does not ensure that the user has read permission (or any other permission) to the files inside it. You need to provide read permission for this user to each log file separately. Most probably, this is the reason you need to add the reader to the specified groups, it is because those groups have group permission to the log files in question. You can ensure that by running

ls -l

in the logs folder and check in which group each file belongs to.

In your scenario, the most correct way to achieve what you ask is by setting ACLs, which is the strongest unix tool for the job.

Have a look at "ACL: Using Access Control Lists on Linux", it is a big blog post but it describes all the steps perfectly and simply enough to get the feeling.

If you need a more quick-n-dirty solution (which I DO NOT recommend, unless you are not in a production environment), you can just take your user out of every group, and then set the 'Others' permission set to r--, (or xx4 for your chmod octal representation).

EDIT: I ignored the fact that you're trying to do this this on a chrooted environment. In this case, symlinks will not work with ftp (or sftp for that matter) due to the nature of symlinks themselves. A nice explanation lies here, although it seems that I tend to link only big articles.

Nevertheless, you can somewhat achieve the same behavior using mount --bind, which will make the log directory available inside the home dir of the logger user:

mount --bind /var/log /home/logger/logs/

And this will provide you with a logs directory containing everything found inside /var/log. From that point, you can allow the logger group read access only to the specific logs you want and nothing else, so that he won't be able to read e.g. /var/log/auth.log etc. Don't forget to add access to the respective parent folders, because otherwise your user will only be able to access the logs by typing in the full path, which can be sometimes frustrating.

Related Topic