I’ve been assigned to lock down all /var/log files so that they cannot be read except by the root user. I’ve been stumped by the /var/log/boot.log file. It seems that after every boot the file no matter what what previous permission state gets set to 644 permissions.
I’ve gone through the exercise of changing the umask in a number of key /etc/init.d files and functions to no avail.
Anybody got any idea as to the specific program doing this and maybe how to get the perms on /var/log/boot.log to be 600?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Via a fgrep -r boot.log /usr, it is plymouth to blame. The plymouth manual page is uh kinda lacking on Centos 6, though a romp through the source code does show that there is a no_boot_log option, apparently that can be set by passing no-boot-log somewhere (assuming you’re okay with no logs from plymouth). Ah! With more digging there is a world_readable flag that twiddles the mode used for the open(2) call, except this is set only as the third argument to
log_is_opened = ply_logger_open_file (session->logger, filename, true);
Sad trombone. Anyways, you’ll probably be fiddling with the initrd image to customize this, or maybe filing bug reports with RedHat to a) write some damn docs so that less source code spelunking is required and b) offer an option somehow to configure that mode perhaps via kernel arg or something.
Method 2
Upon contacting RHEL support for an answer here….
RHEL verifies that plymouth is to blame.
They point to a solutions document (https://access.redhat.com/site/solutions/66805 — restricted to RHEL subscribers) that verifies that although there is a flag in the source code to open/create the log in a more restrictive mode, there is no way to set that flag from the outside (i.e. no option) as it is hardcoded to be world-readable.
The RHEL support document further indicates that putting a chmod in /etc/rc.d/rc.local scripting would be the way to make the permission change I desire.
Bummer!
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0