Package: salt-minion Version: 2014.1.13+ds-2 Severity: normal Tags: patch The adm group is good for viewing all the log files in /var/log and therefore should get read access to /var/log/salt/minion. That is done by creating the log file with permission 640 and setting the setgid permission bit for the /var/log/salt directory.
A patch against your master branch is attached. debian/patches/make-log-file-group-readable.patch is a backport of the patch that was accepted upstream (in their develop branch). PS: Version 2014.7.1+ds-3 is in your master branch, but experimental contains only 2014.7.0+ds-2. Do you forgot to upload the package or do you need a sponsor? -- Benjamin Drung Debian Developer & System Developer ProfitBricks GmbH - The IaaS-Company Greifswalder Str. 207 D - 10405 Berlin Mail: benjamin.dr...@profitbricks.com Fax: +49 30 577 008 598 URL: http://www.profitbricks.com Sitz der Gesellschaft: Berlin. Registergericht: Amtsgericht Charlottenburg, HRB 125506 B. Geschäftsführer: Andreas Gauger, Achim Weiss.
>From e72d6ee3958d6a0642c7e652b58ad34b5e64a0f0 Mon Sep 17 00:00:00 2001 From: Benjamin Drung <benjamin.dr...@profitbricks.com> Date: Wed, 11 Feb 2015 10:27:57 +0100 Subject: [PATCH] Make /var/log/salt/minion redable by adm group The adm group is good for viewing all the log files in /var/log and therefore should get read access to /var/log/salt/minion. That is done by creating the log file with permission 640 and setting the setgid permission bit for the /var/log/salt directory. --- debian/patches/make-log-file-group-readable.patch | 23 +++++++++++++++++++++++ debian/patches/series | 1 + debian/rules | 5 +++++ 3 files changed, 29 insertions(+) create mode 100644 debian/patches/make-log-file-group-readable.patch diff --git a/debian/patches/make-log-file-group-readable.patch b/debian/patches/make-log-file-group-readable.patch new file mode 100644 index 0000000..192685a --- /dev/null +++ b/debian/patches/make-log-file-group-readable.patch @@ -0,0 +1,23 @@ +From 7cd688e6490a410ee62a1461857055aaa4309bc2 Mon Sep 17 00:00:00 2001 +From: Benjamin Drung <benjamin.dr...@profitbricks.com> +Date: Fri, 6 Feb 2015 17:00:58 +0100 +Subject: [PATCH] Make log file group readable + +The log file can only read and written by root. Making the log file group +readable allows users belonging to this group to read the salt log without +becoming root first. +--- + salt/cli/daemons.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/salt/__init__.py ++++ b/salt/__init__.py +@@ -209,7 +209,7 @@ + 'udp://', + 'file://')): + # Logfile is not using Syslog, verify +- current_umask = os.umask(0077) ++ current_umask = os.umask(0o027) + verify_files([logfile], self.config['user']) + os.umask(current_umask) + except OSError as err: diff --git a/debian/patches/series b/debian/patches/series index b4dd411..2458311 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ doc_fixes prevent_intersphinx_network_access fix_2014.1.6_releasenotes missing_locale_dir +make-log-file-group-readable.patch diff --git a/debian/rules b/debian/rules index c3f16d3..ba5148d 100755 --- a/debian/rules +++ b/debian/rules @@ -15,3 +15,8 @@ override_dh_auto_build: override_dh_auto_clean: make -C doc clean dh_auto_clean + +override_dh_fixperms: + dh_fixperms + chmod 2750 debian/salt-common/var/log/salt + chown root:adm debian/salt-common/var/log/salt -- 2.1.0
