0
Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?
Senkaku
Posted 2018-11-22T15:31:35.517
Reputation: 494
1
Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.
As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.
Ljm Dullaart
Posted 2018-11-22T15:31:35.517
Reputation: 922
Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform. – Senkaku – 2018-11-22T21:18:20.650
What applications do you have installed that read /var/log as another user? – Ramhound – 2018-11-22T16:09:05.163
@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege? – Senkaku – 2018-11-22T16:24:48.913
What is preventing you from trying your idea? – Ramhound – 2018-11-22T16:34:48.263
@Ramhound Some application could fail silently. I guess I will do it anyway and report here later. – Senkaku – 2018-11-22T16:36:40.157