IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New RedHat/Centos wierd permissions.
For a variety of reasons, we shifted from Debian-based servers here at work to CentOS ones. Fortunately us devs are experienced at working in either, but there are some RH/CentOS anomolies that are a little weird.

Principle one is that /var/log/httpd is by default not world-readable. And something keeps resetting this, which is annoying is the whole reason us devs have access to these machines is viewing the logs.

Anyone know why and how to disable this? I can't find anything useful about this with Google.

Wade.
New per standard security setup, /var/log/httpd is not world readable
perms should be 750. Sounds like you have been breaking the security model and someone/thing keeps fixing it.
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New And that is pretty much the same on Debian
The Apache log permissions are 640.
New It's not? This is news to me!
And Centos/RH resets it to 700, not 750.

Why does the security model say it shouldn't be world-readable. A number of other logs are. More pertinent, why would Centos/RH say it can't even be group-readable?

Wade.
New in debug mode logs carry identifiable data
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New For the reset - check logrotate
If you see the permissions reset on the historical logs, most likely, logrotate has been set up with explicit permissions for the httpd log.
New Ooh. Wasn't aware logrotate could do that. Thanks!
     RedHat/Centos wierd permissions. - (static) - (6)
         per standard security setup, /var/log/httpd is not world readable - (boxley) - (3)
             And that is pretty much the same on Debian - (scoenye)
             It's not? This is news to me! - (static) - (1)
                 in debug mode logs carry identifiable data -NT - (boxley)
         For the reset - check logrotate - (scoenye) - (1)
             Ooh. Wasn't aware logrotate could do that. Thanks! -NT - (static)

Trust me...
84 ms