How to deny access to global logfiles

[nieuwhier]

Hi All,

With Virtual Hosting every user is able to access the main logfiles(/var/log) of the server. Does anyone knows how to secure those files without blocking access to processes that need access ?

Regards,
Michel.

 

[nobaloney]

If you allow your users shell access but don't want them to see your logfiles, you can just remove read access for "O".

For example (not tested):

# cd /var/log
chmod -R o-r *

If that stops any process from reading them (I haven't looked or tested, but webalizer comes to mind as a possibility) you can change the group ownership of the files with problems, to some new group you create, and then make the process owner member of that group.

Linux and Unix are wonderful operating systems with lots of choices for security.

Jeff

Jeff

 

[nieuwhier]

thx jeff.

Yep, linux is great but also with little efford you can mess-up everything very easy

I am gonna test it on a test-server and will let you know.

 

[nieuwhier]

Well when I look in webalizer now the stats are broken from the time I changed the file flags yesterday.

I never really got into webalizer; where does it get the stats from ? I thought from the files in /var/log ?

This is the error I got from the cronlog:

Webalizer V2.01-10 (Linux 2.6.9-1.667smp) English
Using logfile STDIN (clf)
Creating output in current directory
Hostname for reports is 'xxx.xxx.xxx'
History file not found...
No valid records found!
/etc/cron.daily/prelink:

 

[nobaloney]

My guess is that webalizer does get the files from /var/log/httpd/domains.

If so, then you'll have to figure out what username webalizer runs as, create a group; make group access all the way through that path, and make the user webalizer runs as a member of that group.

You can set flags so that all new domains logs will be created with the right permissions.

None of this is a one line answer. I highly recommend getting a good book on Systems Administration.

(I was afraid this would happen.)

Jeff