SEO

Fellow AIX'ers;

I am trying to implement the "script" command for certain users at the end
of my /etc/profile file.

The problem I am running into is that when script tries to open the log file
specified it does not have permission to do so.

Because I am trying to keep the log files separate for specific users I am
using as a filename "/var/log/profile.log.$LOGIN"

While this is resolving correctly script gets a permission denied error
message when attempting to create a non-existing file. If I use touch to
create it first, then the touch command gets the same error.

Obviously the use who the script it running for doesn't have sufficient
permissions to accomplish this.

While I've tried many work-arounds, I thought I would post here for all you
GURU's and experts to advise on.

Therefore, what mechanism should be used to allow file to be created at this
level?

Thanks all.

bobmct wrote:
> "...permission denied error message when attempting to create a non-existing file."
> Obviously the use who the script it running for doesn't have sufficient
> permissions to accomplish this.

Obvious indeed.

#grant write access to directory
$ chmod o+w /var/log

Of course, the observant user may choose to remove or modify his
particular profile.log.$LOGIN file.

Niel

On Tue, 15 Jan 2008 01:17:24 +0200, Niel Lambrechts <[email protected]>
wrote:

>bobmct wrote:
>> "...permission denied error message when attempting to create a non-existing file."
>> Obviously the use who the script it running for doesn't have sufficient
>> permissions to accomplish this.
>
>Obvious indeed.
>
>#grant write access to directory
>$ chmod o+w /var/log
>
>Of course, the observant user may choose to remove or modify his
>particular profile.log.$LOGIN file.
>
>Niel

Thanks for the suggestion, Niel;

However, the chmod is also denied with "insufficient permissions".

And yes, an astute user 'could' search for an delete such a log file.
But, the path and name might actually be a lot different than
specified and many 'tricky' users are not that astute.

Thanks,

Bob

On Jan 15, 1:27 am, [email protected] wrote:
> On Tue, 15 Jan 2008 01:17:24 +0200, Niel Lambrechts <[email protected]>
> wrote:
>
> >bobmct wrote:
> >> "...permission denied error message when attempting to create a non-existing file."
> >> Obviously the use who the script it running for doesn't have sufficient
> >> permissions to accomplish this.
>
> >Obvious indeed.
>
> >#grant write access to directory
> >$ chmod o+w /var/log
>
> >Of course, the observant user may choose to remove or modify his
> >particular profile.log.$LOGIN file.
>
> >Niel
>
> Thanks for the suggestion, Niel;
>
> However, the chmod is also denied with "insufficient permissions".
>
> And yes, an astute user 'could' search for an delete such a log file.
> But, the path and name might actually be a lot different than
> specified and many 'tricky' users are not that astute.
>
> Thanks,
>
> Bob

You should be root to change the permissions of /var/log.

You could also have a small C-program that creates the log with the
necessary permissions, and make that program setuid root.

Are you sure you have enough experience to administer this system?
If not, you'd better take some courses first.

On Jan 15, 11:39 am, "Gerard H. Pille" <[email protected]> wrote:
> On Jan 15, 1:27 am, [email protected] wrote:
>
>
>
> > On Tue, 15 Jan 2008 01:17:24 +0200, Niel Lambrechts <[email protected]>
> > wrote:
>
> > >bobmct wrote:
> > >> "...permission denied error message when attempting to create a non-existing file."
> > >> Obviously the use who the script it running for doesn't have sufficient
> > >> permissions to accomplish this.
>
> > >Obvious indeed.
>
> > >#grant write access to directory
> > >$ chmod o+w /var/log
>
> > >Of course, the observant user may choose to remove or modify his
> > >particular profile.log.$LOGIN file.
>
> > >Niel
>
> > Thanks for the suggestion, Niel;
>
> > However, the chmod is also denied with "insufficient permissions".
>
> > And yes, an astute user 'could' search for an delete such a log file.
> > But, the path and name might actually be a lot different than
> > specified and many 'tricky' users are not that astute.
>
> > Thanks,
>
> > Bob
>
> You should be root to change the permissions of /var/log.
>
> You could also have a small C-program that creates the log with the
> necessary permissions, and make that program setuid root.
>
> Are you sure you have enough experience to administer this system?
> If not, you'd better take some courses first.

Moreover, it is not a good idea to make /var/log world writeable,
anyone could go and delete logs. If you really need those logs under /
var/log, make a subdirectory and make that one world writeable.

Hello Bob,

I think you need to consider heavily what Gerard and Niel have already
said.

If you are looking for a security measure, than your efforts are in
vain.

Once you work out how to make the permissions of /var/log (or whatever
other directory
you end up using) you will run into the problem of users having to
exit twice.

Also, the log file will show when the user logs in.

Even moderately astute users will notice what is going on, and be able
to circumvent the logs.

If you are concerned about security, it is better to restrict all root
access, and use a properly configured
sudo environment. (Properly configured meaning limiting commands like
"ksh", or "su", or any other command where
logging is lost.) And then you can configure sudo to use syslog for
logging, and log to another machine all
privileged access.


Good luck with your system
--Casey