This is infuriating me. I have a basic rsyslog.d customization to write a dedicated log file for a service, but the file ownership is all ??? when I try to read it as a non-root user. I feel it’s a mystery worth asking to SF.
Here’s my rsyslog.d:
$template BlackXmlTransfer,"/var/log/sphyrna/black-xml.log" :programname, startswith, "black-xml." ?BlackXmlTransfer
I restart rsyslogd and try to check the log file. Permission denied as a user, but sudo is ok. Note the file permissions wouldn’t allow the user to read the file anyways.
$ ls -al /var/log/sphyrna ls: cannot open directory /var/log/sphyrna: Permission denied sudo ls -al /var/log/sphyrna total 8 drwx------. 2 root root 27 Oct 30 16:37 . drwxr-xr-x. 9 root root 4096 Oct 30 16:37 .. -rwx------. 1 root root 267 Oct 30 16:37 black-xml.log
So I update my rsyslog.d with dir and file create modes:
$DirCreateMode 0744 $FileCreateMode 0744
I stop rsyslog, delete the log directory and files, start and no change in permissions:
$ sudo ls -al /var/log/sphyrna total 8 drwx------. 2 root root 27 Oct 30 16:29 . drwxr-xr-x. 9 root root 4096 Oct 30 16:29 .. -rwx------. 1 root root 123 Oct 30 16:29 black-xml.log
After some digging, it seems that if UMask is set in the rsyslog.service it’ll override any file permission changes in the rsyslog.d file (correct me if I’m wrong, please!):
sudo vi /usr/lib/systemd/system/rsyslog.service # Comment out UMask to start #UMask 0066
Restart rsyslog. File permissions are different!
$ sudo ls -al /var/log/sphyrna total 8 drwxr--r--. 2 root root 27 Oct 30 16:30 . drwxr-xr-x. 9 root root 4096 Oct 30 16:30 .. -rwxr--r--. 1 root root 265 Oct 30 16:30 black-xml.log
But not for a user. Anyone but root gets denied with question marks?!?
$ ls -al /var/log/sphyrna ls: cannot access /var/log/sphyrna/.: Permission denied ls: cannot access /var/log/sphyrna/..: Permission denied ls: cannot access /var/log/sphyrna/black-xml.log: Permission denied total 0 d????????? ? ? ? ? ? . d????????? ? ? ? ? ? .. -????????? ? ? ? ? ? black-xml.log
What am I doing wrong? Is it a rsyslog write mode thing and the file (and directory?) is write locked? How am I supposed to cat the log file outside of sudo’ing every time?
Also I don’t think I should be removing the UMask from rsyslog.service. That was just an experiment. Any tips are 1000% welcome!