By default, /var/log/messages* are created with read-write permissions for ‘root’ user only. There might be a requirement to make the log files world readable for eg to allow an application to read and process the data in it. Changing the permissions on such files using ‘chmod’ might be a temporary solution as they will be recreated with the original permission during the next logrotate cron job. This post will help understand how to set custom permissions (eg 644) on /var/log/messages permanently.

 

For CentOS/RHEL 4 and 5 (using syslogd)

 

1. The “create xxxx” directive in /etc/logrotate.d/syslog config file controls the permission of log files managed by syslogd daemon.

 

2. The example below shows how to change the permission on /var/log/messages to 644 (world readable). Since the intention is to ONLY change permission on a single log file (eg /var/log/messages) we are creating a new config section in /etc/logrotate.d/syslog specifically for changes on /var/log/messages.

 

Current Permissions:

# ls -l /var/log/messages
-rw-------. 1 root root 424848 June 22 09:18 /var/log/messages

 

3. First, Remove the /var/log/messages from the main section in the file /etc/logrotate.d/syslog,

# vi /etc/logrotate.d/syslog

 /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {      ### Remove /var/log/messages from main section
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

 

and Create a new section for /var/log/messages as shown below and append it to the same file.

/var/log/messages {                                                                    ### add /var/log/messages to a sub-section

   sharedscripts
   create 0644                                                                         ### This directive will change the permission on /var/log/messages* to 644
   postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript

}

 

Note:

syslogd won’t automatically change the permissions on any file that already exists. Copy or move the original file(s) and force an immediate rotation for the changes to take effect.

 

4. Manually rotate the syslog to see the change in permissions.

# logrotate --force /etc/logrotate.d/syslog

 

# ls -l /var/log/messages
-rw-r--r--. 1 root root 231 June 22 09:19 /var/log/messages

 

All the subsequent log files will be created with ‘644’ permission.

 

For CentOS/RHEL 6 and 7 (using rsyslogd version >3)

 

The $FileCreateMode directive and $umask directive in /etc/rsyslog.conf configuration file allows to specify the creation mode with which rsyslogd creates new files. By default $FileCreateMode directive is compiled in as 0644, which ideally should create files managed by rsyslog with permission 644, but since actual permission depend on rsyslogd’s process umask, all files gets created with 600 permissions. To fix this, edit /etc/rsyslog.conf and add “$umask 0000” right at the beginning of the file that needs modification.

 

The example below shows how to change the permission on /var/log/messages to 644 (world readable)

 

1. Check the current permissions of the /va/log/messages file:

# ls -l /var/log/messages
-rw-------. 1 root root 424848 June 22 09:18 /var/log/messages

 

2. Edit the /etc/rsyslog.conf configuration file and the directive “$umask 0000” at the top of the file.

# vi /etc/rsyslog.conf
..
$umask 0000                 ### Add this to reset the umask#
$FileCreateMode 0644        ### This line can be omitted as the compiled in default is already set to 644. Modify this value if you need to set permissions other than 644#
*.info;mail.none;authpriv.none;cron.none /var/log/messages
$umask 0077                 ### Add this to set umask back to default, otherwise all files managed by rsyslogd (/eg /var/log/secure) will be created as world readable (644)

 

Note:

rsyslogd won’t automatically change the permissions on any file that already exists. You would have to delete or move the file and have rsyslogd reloaded for the new permissions to take effect.

 

3. Lets move the current /var/log/messages file to some other location. This will allow us to create a new messages file with our newly defined permissions.

# mv /var/log/messsages /tmp/

 

4. Restart the rsyslog service to generate a new /var/log/messages file.

# service rsyslog restart        ### CentOS/RHEL 6
# systemctl restart rsyslog      ### CentOS/RHEL 7

 

5. Check the permission of the file again.

# ls -l /var/log/messages
-rw-r--r--. 1 root root 231 June 22 09:19 /var/log/messages

 

That’s all to it. All the subsequent log files will now be created with ‘644’ permission.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)