New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict log permissions #397
Conversation
While the current log directory permissions are restrictive and correct, the file permissions are too permissive and it raises flags on evaluations of the deployment. Let's instead change the permissions to 0600 which is more appropriate for these types of logs.
cc @stlaz |
/hold |
In case of upgrades, this would fix the permissions of old logs too. |
/hold cancel |
This misses logs after log rotation. |
@sttts logs after log rotation inherit the initial permissions (at least that's how the underlying library is supposed to work) |
@sttts for reference, this attempts to fix the default in the underlying library natefinch/lumberjack#112 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JAORMX, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
While the current log directory permissions are restrictive and correct,
the file permissions are too permissive and it raises flags on
evaluations of the deployment. Let's instead change the permissions to
0600 which is more appropriate for these types of logs.
Note that while this is a superficial fix, it is also meant to address upgrades
(on an upgrade scenario, the permissions of old and rotated log files will be
fixed).