# Syslog-ng and ACL's

## jesterspet

I would like to add read permissions for a user account (not root) to the /var/log/messages file using ACLs.

This would be trivial with setfacl if the log file did not rotate.

I am unable to locate a way to have syslog-ng create the file with the correct permissions.

Does anyone know how to get syslog-ng to create log files with ACL entries  :Question: 

----------

## Bones McCracker

Not offhand, but one way around this would be to have logrotate truncate the file instead of re-creating it.

----------

## jesterspet

True, but that means no more log rotation for me   :Sad: 

I'd like to be able to rotate my log files & be able to grant read permissions to individual users and groups to root owned files without affecting the normal operation of the system.

It would seem that the solution I am looking for is going to have to be a cron job that checks the acls and evaluates if they are present, and correct & if not apply them to the specified file.  This is less than ideal, but I don't see another solution.

----------

## Bones McCracker

 *jesterspet wrote:*   

> True, but that means no more log rotation for me  
> 
> I'd like to be able to rotate my log files & be able to grant read permissions to individual users and groups to root owned files without affecting the normal operation of the system.
> 
> It would seem that the solution I am looking for is going to have to be a cron job that checks the acls and evaluates if they are present, and correct & if not apply them to the specified file.  This is less than ideal, but I don't see another solution.

 

You can still do that.  Truncation just means that logrotate leaves the original file there and delete's its contents, instead of moving the file somewhere else and creating a new one.  See the logrotate man page.

You may find better ways of dealing with it, though; that's just what came to mind.

----------

