Move /var/log permission changes to BSI#946
Move /var/log permission changes to BSI#946texasaggie97 wants to merge 3 commits intoni:nilrt/master/scarthgapfrom
Conversation
texasaggie97
changed the title
texasaggie97
force-pushed
the
users/texasaggie97/log-rotate
branch
2 times, most recently
from
2c3a5fc to
795f1e0
Compare
|
|
||
| if [ -d "${LOG_DIR}" ]; then | ||
| chown root:adm "${LOG_DIR}" | ||
| chmod 0770 "${LOG_DIR}" |
There was a problem hiding this comment.
Is it ok removing rx permissions for others? I know that technical support report reads from this location and I don't remember if it's done as webserv or admin; have we tested that workflow?
@jpautler may also have more context on persistent logs implementation.
There was a problem hiding this comment.
We make this change in ownership in SNAC mode which is then causing issues with logrotate. This change moves that ownership change into the BSI so logrotate can be configured so that it will work in SNAC mode as well. If this is an issue for something, know that it will also be an issue when the target is configured for SNAC.
There was a problem hiding this comment.
I think we need to test technical support report workflow to ensure it's not broken. We should also spend some time figuring out if any other workflows will be broken (or already broken in SNAC).
amstewart
left a comment
amstewart
left a comment
There was a problem hiding this comment.
Remember to clean up your commit messages to include the recipe in the commit subject and have a detailed description.
|
|
||
| SRC_URI = "\ | ||
| file://ni-configpersistentlogs \ | ||
| file://set_log_permissions.sh \ |
There was a problem hiding this comment.
The original /var/log permissions are applied by the populate-volatile initscript already - which reads its configuration from /etc/default/volatiles. Instead of adding another initscript that resets it later, we should just add a conf snippet to that location changing the ownership.
There was a problem hiding this comment.
And you should make that change in our initscripts bbappend.
…distros that have this group as a defualt Signed-off-by: Mark Silva <mark.silva@emerson.com>
Signed-off-by: Mark Silva <mark.silva@emerson.com>
…ent logs. This sets the group for /var/log to adm Signed-off-by: Mark Silva <mark.silva@emerson.com> Add update-rc.d-native to dependencies for ni-configpersistentlogs
texasaggie97
force-pushed
the
users/texasaggie97/log-rotate
branch
from
795f1e0 to
44ae2c5
Compare
3 participants
Summary of Changes
su root admto the global logrotate configuration so that logrotateaccepts
/var/logbeing owned by groupadmwith mode 0770, fixing the error:skipping "/var/log/dmesg" because parent directory has insecure permissions./etc/default/volatiles/00_coreentries inni-configpersistentlogsto create
/var/logwith ownerroot:admand mode0770(both persistent andvolatile configurations).
set_log_permissions.sh(runs at start priority 3)that enforces
root:adm 0770ownership and default ACLs on/var/logat boottime, keeping the base image consistent with the security hardening applied by
nilrt-snac.
aclas a runtime dependency ofni-configpersistentlogsto ensuresetfaclis available.Justification
AB#3698573
The
nilrt-snacsecurity hardening script sets/var/logtoroot:adm 0770with default ACLs. Without this change the base image is inconsistent with that
policy and logrotate fails on any log under
/var/logwith a misleading"insecure permissions" error.
See this internal Teams chat for discussion regarding this change and how it would affect LabVIEW RT.
Testing
bitbake packagefeed-ni-core)Procedure