Puppet Log Directory Permissions
12 views
Skip to first unread message
Peter Krawetzky
Jun 4, 2019, 1:59:07 PM6/4/19
to Puppet Users
I want to be able to ingest the puppet servers logs into splunk but the owner of the directory is puppet:puppet and the permissions are /var/log/puppetlabs/puppet rwxr-x---. Since other has no access, the splunk service will not be able to read the log files. Can I just change the permissions to rwxr-xr-x without any adverse affects to the puppetserver process? Is there a way to do this in a puppetserver config file like logback.xml?
James Pryor
Jun 4, 2019, 3:48:07 PM6/4/19
to puppet...@googlegroups.com
Hello,
Does the file permissions show a period ( a dot . ) at the end of the permissions list, like this?
# ls -l /etc/somefile
-rw-r-----. 1 root root 27 Jun 4 19:29 /etc/somefile
If so then your linux filesystem appears to support extended attributes and Access Control Lists and you can set ACLs, on a per file or per directory basis.
https://wiki.archlinux.org/index.php/Access_Control_Lists
In this example I am giving a nonpriv user read access to a file that is 640 via the ACL:
[root@centos7 etc]# ls -l /etc/somefile
-rw-r-----. 1 root root 27 Jun 4 19:29 /etc/somefile
[root@centos7 etc]#
setfacl -m u:nonprivuser:r /etc/somefile
[root@centos7 etc]# getfacl somefile
# file: somefile
# owner: root
# group: root
user::rw-
user:nonprivuser:r--
group::r--
mask::r--
other::---
Regards,
James
I can not speak to whether or not changing the
permissions to rwxr-xr-x without any adverse affects to the puppetserver process, but I think I spotted a possible solution.
# ls -l /etc/somefile
-rw-r-----. 1 root root 27 Jun 4 19:29 /etc/somefile
If so then your linux filesystem appears to support extended attributes and Access Control Lists and you can set ACLs, on a per file or per directory basis.
https://wiki.archlinux.org/index.php/Access_Control_Lists
In this example I am giving a nonpriv user read access to a file that is 640 via the ACL:
[root@centos7 etc]# ls -l /etc/somefile
-rw-r-----. 1 root root 27 Jun 4 19:29 /etc/somefile
[root@centos7 etc]#
setfacl -m u:nonprivuser:r /etc/somefile
[root@centos7 etc]# getfacl somefile
# file: somefile
# owner: root
# group: root
user::rw-
user:nonprivuser:r--
group::r--
mask::r--
other::---
Regards,
James
On Tue, Jun 4, 2019 at 1:59 PM Peter Krawetzky <pkraw...@gmail.com> wrote:
I want to be able to ingest the puppet servers logs into splunk but the owner of the directory is puppet:puppet and the permissions are /var/log/puppetlabs/puppet rwxr-x---. Since other has no access, the splunk service will not be able to read the log files. Can I just change the permissions to rwxr-xr-x without any adverse affects to the puppetserver process? Is there a way to do this in a puppetserver config file like logback.xml?
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0c69b316-a7ff-4417-84db-eb46f92882a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Krawetzky
Jun 6, 2019, 7:49:23 AM6/6/19
to Puppet Users
Interesting, thanks!
Reply all
Reply to author
Forward
0 new messages