When you specify the -c start option,
syslogd creates log files and directories dynamically. By default,
directories are created with the permissions value 0700, which means
that only the owner can read, write, and list the contents of the
directory. Similarly, if syslogd needs to create a file, the default
permissions value is 600, which again means that only the owner can
read and write to the file. Because a user ID with UID 0 must run
syslogd, the owner is always a superuser. To change the default permissions
used by syslogd, use either the -F or the -D start option to set the
global default permissions for files and directories, respectively.
Tip: The -F and -D start options have no effect on files
or directories that already exist.
You can also use the -F and -D configuration options to override
global defaults for individual syslogd rules. Specify -F or -D (or
both) with octal values following the file name. For example:
*.err /var/log/%Y/%m/%d/errors -F 640 -D 644
The file permission bits, whether provided on the rule or as global
defaults, are modified by the syslogd process file creation mask (umask),
and then used to set the file permission bits of a file that is being
created.
If you are considering allowing users other than a superuser to
have access to log files, before changing the syslogd default permissions
for files and directories, be sure to consider the following options:
- Before starting syslogd, create the log file (and containing directory
if necessary) with permissions and ownership that allows the other
users to have access. If a single user needs access, you can make
the file user ID (UID) match that of the user ID that needs access.
If multiple users need access, set a new or existing group ID (GID)
as the file's GID, and set the permissions to allow members of the
group to have read access, write access, or both. The file or directory
UID and GID can be set with the chown command.
Be sure to give the syslogd user ID write access to the log files.
This technique is useful only if the files are not being created dynamically
by syslogd.
- If you are not using file access control lists (ACLs), files and
directories created by syslogd have the owner UID 0. By default, the
owning GID is set to that of the parent directory. However, if the
FILE.GROUPOWNER.SETGID profile exists in the UNIXPRIV class, the owning
GID is determined by the set-GID bit of the parent directory, as follows:
- If the set-GID bit of the parent directory is on, the owning GID
is set to that of the parent directory.
- If the set-GID bit of the parent directory is off, the owning
GID is set to the effective GID of the process.
When there are no file access control lists, the only way
to manage log files with different access requirements that must be
accessed by different groups of users is to create the containing
directories with the appropriate GIDs before starting syslogd, and
let syslogd dynamically create the log files in the appropriate directories.
The log files then inherit the GID of the directory, if the directory
has the set-GID bit on.
- A third way to provide access to log files for different users
or groups of users is to use file access control lists. For information
about setting file access control lists, see the setfacl command
in z/OS UNIX System Services Command Reference. The ACLs for dynamically created directories
and files can be inherited from defaults set on the parent directory.
When using this method, be sure that the syslogd user ID continues
to have write access to the log files.