aker log uses insecure 777 perms

[anazmy]

Explore options to drop the need for 777 perms.

[Dryusdan]

The perm is not writed by ssh process ?
Else you can add all user on ssh group, make 720 permission (denied read of group) or 760 :)

[anazmy]

Hey @Dryusdan I think there are various options. Exploring what are the best ones.

[Dryusdan]

Hey o/
There are lot of option :)
Daemon who write logs, user group... :)
Good research :)

[anazmy]

Combining something similar to:

facility = logging.handlers.SysLogHandler.LOG_LOCAL6
syslog = logging.handlers.SysLogHandler(address='/dev/log',facility=facility)
syslog.setFormatter(logging.Formatter('Aker: %(module)s %(levelname)s - %(message)s'))
logging.root.addHandler(syslog)
logging.root.setLevel(config.log_level)

With simple syslog config might be helpful.

[anazmy]

Testing the below combination, I think it provides needed separation with minimal intervention.

mkdir  /var/log/aker
chmod 777 /var/log/aker/
setfacl -Rd -m o::rwX /var/log/aker/
touch /var/log/aker/aker.log
chmod 640 /var/log/aker/aker.log 

[Dryusdan]

I never seen setfacl command 😅

Question, when user connect, it's execute aker, so /var/log/aker/aker.log can write with lot of user, so I think 640 is not good 🤔

What do you think?

[anazmy]

Well in this test I'm using syslog facilities instead, so that will not be a problem as users are not actually writing directly to aker.log.
Plus users will have separate log dirs for their sessions output, like below:

# ls -altr /var/log/aker/20180820/
total 8
drwxrwxrwx+ 3 root   root     38 Aug 20 21:53 ..
drwxr-x---+ 2 jsmith jsmith 4096 Aug 20 21:53 jsmith
drwxrwxrwx+ 4 jsmith jsmith   34 Aug 20 21:53 .
drwxr-x---+ 2 anazmy anazmy 4096 Aug 20 21:53 anazmy