Is it safe to remove read rights from all /var/log files for others?

Multi tool use
Multi tool use











up vote
0
down vote

favorite












Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?






linux logging access-control







share|improve this question
























  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36















up vote
0
down vote

favorite












Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?






linux logging access-control







share|improve this question
























  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36













up vote
0
down vote

favorite









up vote
0
down vote

favorite











Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?






linux logging access-control







share|improve this question















Am I supposed to be able to revoke read access recursively to /var/log/ for others or will it break some applications which rely on being able to read from /var/log/ with other rights?






linux logging access-control




linux logging access-control






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 22 at 16:23









harrymc

248k10257548




248k10257548










asked Nov 22 at 15:31









Senkaku

3141315




3141315












  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36


















  • What applications do you have installed that read /var/log as another user?
    – Ramhound
    Nov 22 at 16:09










  • @Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
    – Senkaku
    Nov 22 at 16:24












  • What is preventing you from trying your idea?
    – Ramhound
    Nov 22 at 16:34










  • @Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
    – Senkaku
    Nov 22 at 16:36
















What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09




What applications do you have installed that read /var/log as another user?
– Ramhound
Nov 22 at 16:09












@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24






@Ramhound That basically is the question. Are application developers required to gain the necessary privileges to read from /var/log/* or is it normal to expect to be able to read from /var/log/* with the other privilege?
– Senkaku
Nov 22 at 16:24














What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34




What is preventing you from trying your idea?
– Ramhound
Nov 22 at 16:34












@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36




@Ramhound Some application could fail silently. I guess I will do it anyway and report here later.
– Senkaku
Nov 22 at 16:36










1 Answer
1






active

oldest

votes

















up vote
1
down vote













Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote













Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18

















up vote
1
down vote













Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer





















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18















up vote
1
down vote










up vote
1
down vote









Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.






share|improve this answer












Many Linux distributions give only limited access to the files under /var/log. However, the directories are mostly accessible.



As far as programs that use files under var/log, getting info for last logins with last requires (read) access to /var/log/wtmp, so revoking access would break that functionality.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 22 at 20:59









Ljm Dullaart

54925




54925












  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18




















  • Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
    – Senkaku
    Nov 22 at 21:18


















Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
– Senkaku
Nov 22 at 21:18






Thanks for pointing that out to me. Nevertheless I think that is expected behavior because /usr/bin/last tries to access /var/log/lastlog with the permissions of the caller. If executed as root or a member of utmp in Ubuntu last is still able to perform.
– Senkaku
Nov 22 at 21:18




















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377606%2fis-it-safe-to-remove-read-rights-from-all-var-log-files-for-others%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Ou42jG7adRKQfjpeUG8QlZmwyTzuBMTEn9bKt32VOUaz XEUDAjJqN82u,u 53IOtYrZ4Cj IQwr0
-
0Rv,u,a5CMBYMsqh9nVvuqGvc1hqQpfjEWsCfjuS6thBIDnp05pzhLFLty2WIX8E0bi8Iw srbC

Popular posts from this blog

Sometime when accessing a menu: “Ubuntu 16.04 has experienced an internal error”

Image
0 Sometime, when I try to access some menu (may be inside an application or desktop, doesn't matter), I got the following error. The menu and submenu disappear for a while. After that, I can continue using the system. And the lspci gave me the following output: $ lspci -k | grep -EA3 'VGA|3D|Display' 00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 0b) DeviceName: Onboard IGD Subsystem: Dell Haswell-ULT Integrated Graphics Controller Kernel driver in use: i915 unity compiz error-handling share | improve this question edited Mar 5 at 16:09 ...
Read more

Santo António de Lisboa

Image
  Nota: Para outros significados, veja Santo António. Santo António de Lisboa Santo António com o Menino Jesus em pintura de Stephan Kessler Frade Franciscano e Doutor da Igreja ( Doctor Evangelicus ) Nascimento 15 de agosto de 1191 em Lisboa, Portugal Morte 13 de junho de 1231 (39 anos) em Pádua, Itália Veneração por Igreja Católica Religiões Afro-Brasileiras Beatificação 1232, Roma por Papa Gregório IX Canonização 30 de Maio de 1232, Catedral de Espoleto por Papa Gregório IX Principal templo Igreja de Santo António de Lisboa, Lisboa, Portugal e Basílica de Santo António de Pádua, Pádua, Itália Festa litúrgica 13 de Junho Atribuições livro, pão, Menino Jesus e lírio Padroeiro Portugal, Lisboa (orago da cidade), Pádua, pobres, mulheres grávidas, casais, pessoas que desejam encontrar objectos perdidos, oprimidos, das cidades de Governador Valadares, Recife, Osasco e Diamantina no Brasil. Portal dos San...
Read more

José Alencar

Image
  Nota: Para outros significados, veja José Alencar (desambiguação). José Alencar José Alencar como vice-presidente do Brasil. 23º Vice-presidente do Brasil Período 1º de janeiro de 2003 a 1º de janeiro de 2011 Presidente Luiz Inácio Lula da Silva Antecessor Marco Maciel Sucessor Michel Temer 4º Ministro da Defesa do Brasil Período 8 de novembro de 2004 a 31 de março de 2006 Presidente Luiz Inácio Lula da Silva Antecessor José Viegas Filho Sucessor Waldir Pires Senador por Minas Gerais Período 1º de fevereiro de 1999 a 14 de dezembro de 2002 Antecessor Júnia Marise Sucessor Aelton Freitas Dados pessoais Nome completo José Alencar Gomes da Silva Nascimento 17 de outubro de 1931 Muriaé, MG Morte 29 de março de 2011 (79 anos) São Paulo, SP Nacionalidade brasileiro Progenitores Mãe: Dolores Peres Gomes da Silva Pai: Antônio Gomes da Silva Cônjuge Mar...
Read more