[sudo-users] sudo_logsrvd.conf permissions

Stefan Johnson tigerphoenixdragon at gmail.com
Fri Jul 30 12:58:08 MDT 2021

Hello again, list.

In testing, I've noticed that the permissions of the subdirectories being
created don't match what I expect to see.

In the [iolog] section of sudo_logsrvd.conf, I have the following settings
iolog_dir = /var/log/sudo_replay_logs/%Y/%m/%d/%H%M/%{hostname}/
iolog_file = %{user}-%s-XXXXXX
iolog_group = redacted
iolog_mode = 0640

The directories are being created with 700 permissions, which means the
subdirectories don't allow the group to read the files, even though the
files themselves are the correct permission.

I tried setting setgid bit on the /var/log/sudo_replay_logs directory and
all existing subdirectories, but the new directories after setting this for
testing still only show 2700 instead of 2750 as expected.

Is there a way to configure this to behave properly?  The reason we want a
specific group to be able to go into this is our log forwarding agent needs
access, and we don't want it to run as root.



More information about the sudo-users mailing list