Ranga Nathan wrote: > I need to scan the /var/log/messages to provide some tracing info through > a CGI.
Is what you are looking for in /var/log/messages a static pattern, or is it being specified or otherwise dependent on the interactions with the CGI script? > The catch is /var/log/messages is readable only by root and > rightfully so. But I do need 'nobody' to be able to scan it. And Gyepi SAM writes: > 1. Change the permissions on the file so it is world readable > 2. If #1 is too permissive, change the group owner and put nobody in > that group. > 3. Modify /etc/syslog.conf so syslog writes to an > alternate/additional file that is readable by nobody. ... > 5. Write a cron driven script that will scan the log file and write the > results to another file that nobody can read. All of those degrade security in a broad way, especially in a shared server environment. > 4. Write or find an suid program/daemon/server to provide read access > to the log file. This is the approach I'd recommend. setUID CGI scripts were fairly common back in the early days before every CGI was hooked up to a database, and you wanted to have data files that weren't accessible by any user of the system that could run a CGI script. Apache's suexec(8) (http://httpd.apache.org/docs/suexec.html) largely solves this problem, though wouldn't be a good solution here, where you want to run as root. I'd recommend creating a small program that specifically extracts the data you want from /var/log/messages (which presumably is safe to display publicly), and set it to run setUID as root. Your script could write to a file, or more likely to STDOUT. Then call it from your existing CGI running as nobody. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: https://www.linkedin.com/e/fps/3452158/ _______________________________________________ Boston-pm mailing list [email protected] http://mail.pm.org/mailman/listinfo/boston-pm
