Merge pull request #15 from jovanlanik/master

Add setting log permissions to configuration

Author: m-kress

README

@@ -225,6 +225,13 @@ Defaults to 0 (i.e. repeated messages will be summarized)
 directory doesn't exist, it will be automatically created when the first
 matching message will be logged (the parent directory has to exist, though) .
 
+* perms = <mode> : permissions for the log directory. Defaults to 0700
+
+Example : Let those in the group with the GID of the process read the log.
+Don't forget to run metalog as the group.
+
+  perms    = 0770
+
 * command = <path/to/command> : run a program or a shell-script when all
 conditions are met. This directive is not incompatible with logdir : a
 message can be both logged and passed to an external command. When the
@@ -354,6 +361,9 @@ Linux. Valid values are from 0 to 7. The default is 7.
 - '-C <configuration file>' or '--configfile=<configuration file>' : use an
 alternative configuration file.
 
+- '-g <group>' or '--group=<group>' : change the GID of the metalog process.
+Created files will be owned by this group.
+
 - '-h' or '--help' : show help and version number.
 
 - '-p <filename>' or '--pidfile=<filename>' : set the name of the file

man/metalog.8.in

@@ -32,6 +32,10 @@ Set the console log level (Linux only).
 .BR \-C ", " \-\-configfile = \fR\fIfile\fR
 Use an alternate configuration file.
 .TP
+.BR \-g ", " \-\-group = \fR\fIgroup\fR
+Change the GID of the metalog process.
+Created files will be owned by this group.
+.TP
 .BR \-h ", " \-\-help
 Output help information and exit.
 .TP

man/metalog.conf.5.in

@@ -91,6 +91,9 @@ By default, \fBmaximum\fR is the largest possible level.
 Files will be written under the specified directory. The special value \fI"NONE"\fR will
 skip the log message.
 .TP
+\fBperms\fR = \fI<mode>\fR
+Permissions for the log directory. Defaults to \fI0700\fR
+.TP
 \fBprogram\fR = \fI"name"\fR
 Can be used to do filtering instead of \fBfacility\fR.
 Remember to use the executable name.

metalog.conf

@@ -4,6 +4,9 @@ maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
 maxtime  = 86400    # time in seconds (86400 = 1 day)
 maxfiles = 5        # num files per directory
 
+# Permissions for log directories. 0750 allows group to read logs. 0700 is default.
+#perms    = 0750
+
 # Format of the timestamp: YYYY-MM-DD HH:MM:SS.NNN
 #stamp_fmt = "%F %T.%3N"
 
@@ -57,6 +60,10 @@ Password failures :
     logdir   = "/var/log/pwdfail"
 #    command  = "/usr/local/sbin/mail_pwd_failures.sh"
 
+# If you changed default permissions it may be a good idea to set more
+# restrictive permissions on sensitive logs.
+#    perms    = 0700
+
 Kernel messages :
 
     facility = "kern"

src/metalog.c

@@ -189,6 +189,11 @@ static int parseLine(char * const line, ConfigBlock **cur_block,
             if ((*cur_block)->output != NULL) {
                 (*cur_block)->output->showrepeats = (*cur_block)->showrepeats;
             }
+        } else if (strcasecmp(keyword, "perms") == 0) {
+            (*cur_block)->perms = (mode_t) strtoul(value, NULL, 8);
+            if ((*cur_block)->output != NULL) {
+                (*cur_block)->output->perms = (*cur_block)->perms;
+            }
         } else if (strcasecmp(keyword, "logdir") == 0) {
             char *logdir = NULL;
             Output *outputs_scan = outputs;
@@ -215,6 +220,7 @@ static int parseLine(char * const line, ConfigBlock **cur_block,
             else
                 free(logdir);
             new_output->fp = NULL;
+            new_output->perms = (*cur_block)->perms;
             new_output->size = (off_t) 0;
             new_output->maxsize = (*cur_block)->maxsize;
             new_output->maxfiles = (*cur_block)->maxfiles;
@@ -353,6 +359,7 @@ static int configParser(const char * const file)
             (off_t) DEFAULT_MAXSIZE,   /* maxsize */
             DEFAULT_MAXFILES,          /* maxfiles */
             (time_t) DEFAULT_MAXTIME,  /* maxtime */
+            (mode_t) DEFAULT_PERMS,    /* perms */
             NULL,                      /* output */
             NULL,                      /* command */
             NULL,                      /* program */
@@ -849,7 +856,7 @@ static int writeLogLine(Output * const output, const char * const date,
 
         testdir:
         if (stat(output->directory, &st) < 0) {
-            if (mkdir(output->directory, OUTPUT_DIR_PERMS) < 0) {
+            if (mkdir(output->directory, output->perms) < 0) {
                 warnp("Can't create [%s]", output->directory);
                 return -1;
             }
@@ -1638,6 +1645,21 @@ static void dodaemonize(void)
     }
 }
 
+static void setgroup(void)
+{
+        if (group_name == NULL) return;
+        struct group *g;
+        errno = 0;
+        if ((g = getgrnam(group_name)) == NULL) {
+            if(errno == 0)
+                err("Failed to set group: group '%s' not found", group_name);
+            else
+                errp("Failed to set group");
+        }
+        if (setgid(g->gr_gid) == -1)
+            errp("Failed to set group");
+}
+
 __attribute__ ((noreturn))
 static void help(void)
 {
@@ -1678,6 +1700,9 @@ static void parseOptions(int argc, char *argv[])
         case 'C' :
             config_file = xstrdup(optarg);
             break;
+        case 'g' :
+            group_name = xstrdup(optarg);
+            break;
         case 'v' :
             ++verbose;
             break;
@@ -1722,6 +1747,7 @@ int main(int argc, char *argv[])
     if (configParser(config_file) < 0)
         err("Bad configuration file");
     checkRoot();
+    setgroup();
     dodaemonize();
     setsignals();
     if (update_pid_file(pid_file))

src/metalog.h

@@ -37,6 +37,7 @@
 #include <sys/wait.h>
 #include <netinet/in.h>
 #include <netdb.h>
+#include <grp.h>
 
 #ifndef HAVE_SYSLOG_NAMES
 # include "syslognames.h"
@@ -96,6 +97,7 @@ typedef struct RemoteHost_ {
 
 typedef struct Output_ {
     char *directory;
+    mode_t perms;
     FILE *fp;
     off_t size;
     off_t maxsize;
@@ -130,6 +132,7 @@ typedef struct ConfigBlock_ {
     off_t maxsize;
     int maxfiles;
     time_t maxtime;
+    mode_t perms;
     Output *output;
     const char *command;
     const char *program;
@@ -168,7 +171,7 @@ typedef enum LogLineType_ {
 #define CF_PROGNAME_KERNEL "kernel"
 #define OUTPUT_DIR_TIMESTAMP ".timestamp"
 #define OUTPUT_DIR_CURRENT "current"
-#define OUTPUT_DIR_PERMS 0700
+#define DEFAULT_PERMS 0700
 #define OUTPUT_DIR_LOGFILES_PREFIX "log-"
 #define OUTPUT_DIR_LOGFILES_SUFFIX "%Y-%m-%d-%H:%M:%S"
 #define DEFAULT_CONFIG_FILE CONFDIR "/metalog.conf"

src/metalog_p.h

@@ -6,7 +6,7 @@
 #else
 # define KLOGCTL_OPTIONS ""
 #endif
-#define GETOPT_OPTIONS KLOGCTL_OPTIONS "aBC:hp:sVvN"
+#define GETOPT_OPTIONS KLOGCTL_OPTIONS "aBC:g:hp:sVvN"
 
 static struct option long_options[] = {
     { "async",        0, NULL, 'a' },
@@ -15,6 +15,7 @@ static struct option long_options[] = {
     { "consolelevel", 1, NULL, 'c' },
 #endif
     { "configfile",   1, NULL, 'C' },
+    { "group",        1, NULL, 'g' },
     { "help",         0, NULL, 'h' },
     { "no-kernel",    0, NULL, 'N' },
     { "pidfile",      1, NULL, 'p' },
@@ -42,5 +43,6 @@ static bool do_kernel_log = true;
 static signed char daemonize;
 static const char *pid_file = DEFAULT_PID_FILE;
 static const char *config_file = DEFAULT_CONFIG_FILE;
+static const char *group_name = NULL;
 
 #endif