[sudo-users] log_output and log_input destination directories and files ownership and permissions

Luca Fornasari luca.fornasari at furna.com
Wed Oct 26 12:49:17 MDT 2016

Greetings everyone,

I just setup log_output and log_input (using Defaults) and everything
is working almost fine.

I just have one problem: I need to give a special user read access to
the generated logs; this special user is used to run a third party
binary agent so I cannot rely on sudo to give read access to the logs
(unless I start it with full root privileges which I want to avoid).

I was then thinking about file system ACL anyway the log_ouput log
directories and files are created with 0700 and 0600 respectively with
owner root and group the user primary gid.
That means even ACL are no go solution since when the standard group
permission is changed also the ACL mask is changed and as a result the
ACL deny access.

I searched for an option in sudo.conf and sudoers to change the
behavior and have the log directories/files root:root 0750 06600 with
no luck.

I have no idea what is the rationale behind the choice to save as
root:usergid and then set to 0700/0600

Any comment/idea?

Thanks in advance
Luca Fornasari

More information about the sudo-users mailing list