move Rails logs to proper place

[wvengen]

fix for something that came up in turnkeylinux/tracker#216

[wvengen]

Haven't tested this as thoroughly as I would have liked, but it should be fine.

[wvengen]

It works, but I log permissions aren't always perfect - turnkeylinux/tracker#235.

[lirazsiri]

It's usually not ideal for a webapp to have access to its own logs because if a security breach allows the attacker to gain www-data privileges he can then alter them. If we use syslog then the attacker needs to escalate to root privileges.

OTOH, the right configuration is rarely perfect, it just makes the best trade-offs for the usage scenarios we have in mind. It looks like it is possible to configuration Rails to use syslog but if I'm not mistaken this has to be done at the application (rather than the system level) level, so perhaps it isn't a good idea to rely on that.

[wvengen]

Good point! Could require Rails appliance developers to use syslog? It's quite straightforward.

[lirazsiri]

I wouldn't force anyone to make a change to their app or to even
understand what syslog is to get it to work on TurnKey, but... I think
it would be a good idea to provide instructions/documentation so that
people who want to do the right thing have an easier time of it.

On 27/06/14 12:24, wvengen wrote:

Good point! Could require Rails appliance developers to use syslog? It's quite straightforward.

---

Reply to this email directly or view it on GitHub:
#6 (comment)

[wvengen]

I like your approach.

[wvengen]

Is there anything holding back this pull request? I'd be happy to add a line to the page about Rails on logging when merged (though I can't seem to find one right now).

[lirazsiri]

Merged this finally, sorry for letting this slip through the cracks.