On Wed, 2019-04-24 at 16:08 +0200, wf...@niif.hu wrote: > Hi, > > Make install creates /var/log/pacemaker with mode 0770, owned by > hacluster:haclient. However, if I create the directory as root:root > instead, pacemaker.log appears as hacluster:haclient all the > same. What > breaks in this setup besides log rotation (which can be fixed by > removing the su directive)? Why is it a good idea to let the > haclient > group write the logs?
Cluster administrators are added to the haclient group. It's a minor use case, but the group write permission allows such users to run commands that log to the detail log. An example would be running "crm_resource --force-start" for a resource agent that writes debug information to the log. If ACLs are not in use, such users already have full read/write access to the CIB, so being able to read and write the log is not an additional concern. With ACLs, I could see wanting to change the permissions, and that idea has come up already. One approach might be to add a PCMK_log_mode option that would default to 0660, and users could make it more strict if desired. -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/