19

I have a directory with log files and I'm putting logs from script launched by users into them. Logging with syslog doesn't seem possible in this case. (non-daemon rsync)

I want the users to have only write permissions on log files. The problem is, that write permissions must be further restricted, so that users (script) can only append to that files. The underlying filesystem is XFS.

The following doesn't work:

# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log

Is there any other solution for this? Thank you for your hints.

Improve this question
4
  • Are you sure it's XFS? chattr +a works for me here (3.2 kernel). Note that you need to be root to use chattr (a $ prompt suggests non-superuser), though you'd get a different error message if chattr +a was supported and you were not root. Commented Dec 30, 2012 at 22:02
  • 1
    Also posted on Serverfault. Don't do this. Commented Dec 30, 2012 at 23:34
  • What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...) Commented Dec 31, 2012 at 9:40
  • This closed on SF, so I'm leaving it open here Commented Dec 31, 2012 at 17:29

3 Answers 3

Reset to default
13

The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:

echo chattr +a | xfs_io test.log

Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).

Improve this answer
1

Do you have permissions to do that? From man 1 chattr:

A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Improve this answer
1

Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.

Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.

I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.