Introduction
Iguana creates .log files with read-access granted to all users, while allowing only the owner to write to them (0644).
However this does not introduce a security concern by allowing everyone to read the files. This is because Iguana creates the logs folder such that only its owner can reach the log files (0700). If you created the logs folder yourself, you may want to check what access is granted.
Issue [top]
Options for granting access to Iguana’s logs in Linux.
Solution [top]
There are a couple of common options
- Lock down access for the owner only:
Allowing the only the owner to have access to the log files is the most secure/restrictive option. This option may be suitable for smaller companies/sites, but larger sites will probably prefer option (2) that allows a group of users to share log access.
- Use the
chmod 0700 path/to/logs
command to set owner only access:If you created the log file directory you will need to set the directory permissions yourself. Run the the
chmod 0700 path/to/logs
command in a terminal window. - If Iguana created the logs folder, then owner only access is already set for you:
You can run the
ls -ld path/to/logs
command (in a terminal window) to verify the permissions — you should see permission settings like drwx—— for the logs folder.
- Use the
- Granting Access to a Group:
If allowing only allowing the owner to have access to the log files is too restrictive — then you can grant access to a user group. Using a group allows you to manage who can access the log files by adding/removing people from the group. This option is probably more suitable for larger companies/sites where more than one user needs to be able to access log files.
- Use the
chgrp TheGroup path/to/logs
command to assign the group to the logs folder. - Use the
chmod 0750 path/to/logs
command to allow that group to enter (but not modify) the folder.Note: You don’t need to change the group name attached to each individual .log file as once in the folder, any user can read the logs.
This is because Iguana creates .log files with read-access granted to all users (0644).
- Use the
How it Works [top]
This is how the log security permissions work:
- Iguana creates .log files with read-access for all users.
- Iguana only allows the owner to write to log files.
- Iguana restricts access to the log directory to the owner:
This prevents “all users” from being able to access the files — until you grant suitable permission for the log directory. Usually by granting group permissions as described above (point 2 in Solutions).
Technical information:
The above examples should work on most Linuxes. If they don’t work, your manual should be very helpful, i.e, man 1 chmod
will tell you all about those magic numbers above, and give you alternatives like chmod g+rx path/to/logs
for granting read/enter permission to the log folder’s group.
Another way to grant access to the log folder is with Access Control Lists, or ACLs, which are more flexible than the simpler, traditional Linux model describe above (ACLs may not supported on some Linux filesystems).