[ale] Any reason not to open read permissions to/var/log/messages?

Jeff Lightner jlightner at water.com
Wed Apr 9 09:37:35 EDT 2008


Thanks for all the replies.

 

By the way the reason I said don't say "because it isn't any of their
business" is because of politics.  While I would love to say that
(because it is the first thing that occurred to me) I knew if that was
the only reason provided I would be instructed to give them access.

 

As an FYI:  The reason this came up is because my coworker made the
mistake of telling the DBAs that he'd seen a message about one of their
applications doing a core dump.   Rather than going and looking at
Oracle logs to determine what had occurred and why they of course wanted
immediate access to our logs in perpetuity. I don't agree that there
would be "no" value in giving them access but do believe that most
things that would require access to messages should require them to
engage System Admins.  That is to say the downside to me seems worse
than the upside.  Part of our discussion with our boss yesterday
included the fact that DBAs the world over always want to blame the OS
or the hardware rather than troubleshoot the DB and applications and in
our view this request was a part of that - they could see a message and
ask us to research it rather than troubleshoot the issue they are having
that made them look at the log in the first place.    

 

Another reason I gave our boss when we discussed this yesterday was that
if we had to reconfigure syslogd to insure that security related items
never made it to messages then it would require us admins to review
multiple logs rather than see things in a linear fashion in a single
log.  (Of course there already ARE other logs that we look at for
various purposes but there's nothing like a /var/log/messages file with
timestamps for quick and dirty check into system issues.)    This seemed
to make an impact on him so I mention for posterity if someone else
needs reasons in the future.

 

________________________________

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim
Kinney
Sent: Tuesday, April 08, 2008 10:23 PM
To: ale at ale.org
Subject: Re: [ale] Any reason not to open read permissions
to/var/log/messages?

 

Well, there should be nothing going into /var/log/messages pertaining to
anything a DBA has perms to resolve anyway.

(I resisted the urge to scream "because it ISN'T any of their
business"!)

Messages has connectivity data. If connections to the system are a
problem, that is not a DBA issue. It's a sysadmin issue. 

Others have discussed the accidental password as username issue and that
is ammo enough to bar all non-root-access users from ever gaining access
to most of /var/log. There is a reason why most database systems have
their own log file process and location.

Lastly, the warm and fuzzy reason, it encourages close collaboration
between the DBA and systems people.

Nah! Just kidding. The Sys Admins all know the DBA's are mostly one
trick bozos who coldn't type up a shell script with a book and a coach
and the DBA think the admons are a bunch of hygiene challenged smug
SOB's who just get in the way of their glory moment.

:-)

2008/4/8 Jeff Lightner <jlightner at water.com>:

/var/log/messages is currently only read/write for root with no
permissions for anyone else.

Other than "none of their business" can anyone tell me any reason not to
allow DBAs the ability to read the file (i.e. change it to be read for
group and other)?

----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.
----------------------------------


_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale




-- 
-- 
James P. Kinney III 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080409/07a762fd/attachment.html 


More information about the Ale mailing list