View previous topic :: View next topic |
Author |
Message |
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 232 Location: Gentoo forums
|
Posted: Sun Dec 31, 2023 11:14 pm Post subject: /var/log/emerge.log permissions |
|
|
/var/log/emerge.log is owned by portage user from portage group and has 660 permissions:
Code: | $ ls -lh /var/log/emerge.log
-rw-rw---- 1 portage portage 22M Dec 31 08:03 /var/log/emerge.log |
As a result, any emerge.log parser tool such as emlop, qlop or genlop won't work with a regular user (provided it isn't part of the portage group, which I recently learned is discouraged):
Code: | $ emlop l -e sys-apps/portage
[ERROR emlop] Cannot open "/var/log/emerge.log": Permission denied (os error 13)
$ sudo emlop l -e sys-apps/portage
[..]
2023-12-15 18:49:18 16 sys-apps/portage-3.0.57
2023-12-30 18:00:49 22 sys-apps/portage-3.0.59
$ qlop sys-apps/portage
qlop: Could not open logfile '/var/log/emerge.log': Permission denied
$ sudo qlop sys-apps/portage
[..]
2023-12-15T18:49:02 >>> sys-apps/portage: 16s
2023-12-30T18:00:27 >>> sys-apps/portage: 22s
$ genlop sys-apps/portage
genlop: cannot open /var/log/emerge.log for reading
maybe you are not a member of the portage group ?
$ sudo genlop sys-apps/portage
[..]
Fri Dec 15 18:49:18 2023 >>> sys-apps/portage-3.0.57
Sat Dec 30 18:00:49 2023 >>> sys-apps/portage-3.0.59 |
I was wondering what is the rationale behind the 660 permissions. For instance, on Arch Linux, /var/log/pacman.log has 644 permissions, so any Pacman related tool such as paclog works with any user:
Code: | $ ls -lh /var/log/pacman.log
-rw-r--r-- 1 root root 15M Dec 31 23:00 /var/log/pacman.log
$ paclog --package=pacman
[2023-05-21T18:26:44+0200] [ALPM] upgraded pacman (6.0.2-6 -> 6.0.2-7)
[2023-09-21T09:00:38+0200] [ALPM] upgraded pacman (6.0.2-7 -> 6.0.2-8) |
Last edited by eeckwrk99 on Mon Jan 01, 2024 12:03 am; edited 1 time in total |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5240 Location: Bavaria
|
|
Back to top |
|
|
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 232 Location: Gentoo forums
|
Posted: Mon Jan 01, 2024 12:08 am Post subject: |
|
|
pietinger wrote: | It has 660 (not 600) |
Indeed, my bad. I edited OP. Thanks!
pietinger wrote: | and if your admin user (=you?) is in portage group it should work. |
Yes, it works if your user is in portage group. But this is not recommended, see Hu's comment I linked in OP. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5240 Location: Bavaria
|
Posted: Mon Jan 01, 2024 1:11 pm Post subject: |
|
|
Maybe the easiest solution is to chmod it to 664. Another way is to do a su - when doing some portage jobs (I do).
(Yes, there was a discussion about a more secure invocation of su ... but I have dev.tty.legacy_tiocsti = 0 in my sysctl.conf). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 232 Location: Gentoo forums
|
Posted: Mon Jan 01, 2024 2:31 pm Post subject: |
|
|
pietinger wrote: | Maybe the easiest solution is to chmod it to 664. Another way is to do a su - when doing some portage jobs (I do). |
Sure, Im just using sudo or su - now. I'm just curious as to why it comes with 660 permissions. What kind of sensitive information would emerge.log contain to deny read access to a regular user? I don't know.
Now that I think about it, this is the same for failed compilations logs in /var/tmp/portage/category/name/temp/build.log. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5240 Location: Bavaria
|
Posted: Mon Jan 01, 2024 7:08 pm Post subject: |
|
|
eeckwrk99 wrote: | [...] What kind of sensitive information would emerge.log contain to deny read access to a regular user? I don't know. |
I don't know that either. Maybe only a developer from the security team can answer that ... or maybe it's just a mistake. Maybe you want to write a bug report ? _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 232 Location: Gentoo forums
|
Posted: Mon Jan 01, 2024 7:48 pm Post subject: |
|
|
pietinger wrote: | or maybe it's just a mistake. |
Considering all these log files (build logs, emerge.log, emerge-fetch.log...) seem to have 660 permissions, it suggests that it's done purposely.
I wonder what are the permissions for similar log files on other distros such as Debian, Fedora, Void... |
|
Back to top |
|
|
|