| View previous topic :: View next topic |
| Author |
Message |
eeckwrk99
Apprentice
Joined: 14 Mar 2021
Posts: 232
Location: Gentoo forums
|
 Posted: Sun Dec 31, 2023 11:14 pm Post subject: /var/log/emerge.log permissions |
 |
|
/var/log/emerge.log is owned by portage user from portage group and has 660 permissions:
| Code: | $ ls -lh /var/log/emerge.log
-rw-rw---- 1 portage portage 22M Dec 31 08:03 /var/log/emerge.log |
As a result, any emerge.log parser tool such as emlop, qlop or genlop won't work with a regular user (provided it isn't part of the portage group, which I recently learned is discouraged):
| Code: | $ emlop l -e sys-apps/portage
[ERROR emlop] Cannot open "/var/log/emerge.log": Permission denied (os error 13)
$ sudo emlop l -e sys-apps/portage
[..]
2023-12-15 18:49:18 16 sys-apps/portage-3.0.57
2023-12-30 18:00:49 22 sys-apps/portage-3.0.59
$ qlop sys-apps/portage
qlop: Could not open logfile '/var/log/emerge.log': Permission denied
$ sudo qlop sys-apps/portage
[..]
2023-12-15T18:49:02 >>> sys-apps/portage: 16s
2023-12-30T18:00:27 >>> sys-apps/portage: 22s
$ genlop sys-apps/portage
genlop: cannot open /var/log/emerge.log for reading
maybe you are not a member of the portage group ?
$ sudo genlop sys-apps/portage
[..]
Fri Dec 15 18:49:18 2023 >>> sys-apps/portage-3.0.57
Sat Dec 30 18:00:49 2023 >>> sys-apps/portage-3.0.59 |
I was wondering what is the rationale behind the 660 permissions. For instance, on Arch Linux, /var/log/pacman.log has 644 permissions, so any Pacman related tool such as paclog works with any user:
| Code: | $ ls -lh /var/log/pacman.log
-rw-r--r-- 1 root root 15M Dec 31 23:00 /var/log/pacman.log
$ paclog --package=pacman
[2023-05-21T18:26:44+0200] [ALPM] upgraded pacman (6.0.2-6 -> 6.0.2-7)
[2023-09-21T09:00:38+0200] [ALPM] upgraded pacman (6.0.2-7 -> 6.0.2-8) |
Last edited by eeckwrk99 on Mon Jan 01, 2024 12:03 am; edited 1 time in total |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5174
Location: Bavaria
|
|
| Back to top |
|
|
eeckwrk99
Apprentice
Joined: 14 Mar 2021
Posts: 232
Location: Gentoo forums
|
| Posted: Mon Jan 01, 2024 12:08 am Post subject: |
|
|
| pietinger wrote: | | It has 660 (not 600) |
Indeed, my bad. I edited OP. Thanks!
| pietinger wrote: | | and if your admin user (=you?) is in portage group it should work. |
Yes, it works if your user is in portage group. But this is not recommended, see Hu's comment I linked in OP. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5174
Location: Bavaria
|
| Posted: Mon Jan 01, 2024 1:11 pm Post subject: |
|
|
Maybe the easiest solution is to chmod it to 664. Another way is to do a su - when doing some portage jobs (I do).
(Yes, there was a discussion about a more secure invocation of su ... but I have dev.tty.legacy_tiocsti = 0 in my sysctl.conf).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
eeckwrk99
Apprentice
Joined: 14 Mar 2021
Posts: 232
Location: Gentoo forums
|
| Posted: Mon Jan 01, 2024 2:31 pm Post subject: |
|
|
| pietinger wrote: | | Maybe the easiest solution is to chmod it to 664. Another way is to do a su - when doing some portage jobs (I do). |
Sure, Im just using sudo or su - now. I'm just curious as to why it comes with 660 permissions. What kind of sensitive information would emerge.log contain to deny read access to a regular user? I don't know.
Now that I think about it, this is the same for failed compilations logs in /var/tmp/portage/category/name/temp/build.log. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5174
Location: Bavaria
|
| Posted: Mon Jan 01, 2024 7:08 pm Post subject: |
|
|
| eeckwrk99 wrote: | | [...] What kind of sensitive information would emerge.log contain to deny read access to a regular user? I don't know. |
I don't know that either. Maybe only a developer from the security team can answer that ... or maybe it's just a mistake. Maybe you want to write a bug report ?
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
eeckwrk99
Apprentice
Joined: 14 Mar 2021
Posts: 232
Location: Gentoo forums
|
| Posted: Mon Jan 01, 2024 7:48 pm Post subject: |
|
|
| pietinger wrote: | | or maybe it's just a mistake. |
Considering all these log files (build logs, emerge.log, emerge-fetch.log...) seem to have 660 permissions, it suggests that it's done purposely.
I wonder what are the permissions for similar log files on other distros such as Debian, Fedora, Void... |
|
| Back to top |
|
|
|
Gentoo Chat
