From: Michael Tharp on 1 Jul 2010 13:19 On 07/01/2010 12:56 PM, Kevin Grittner wrote: > I just tried creating a symbolic link to the pg_log directory and > flagging the existing logs within it to 640. As a member of the > group I was able to list and view the contents of log files through > the symbolic link, even though I didn't have any authority to the > PostgreSQL data directory. > > That seems potentially useful to me. Symlinks are exactly equivalent to using the target of the link. Your permissions are probably already arranged so that you (as a group member) can access the files. Fedora's initscript seems to deliberately revoke group permissions from PGDATA and pg_log so I'm guessing that at some point some things were created with some group permissions. That said, as Martin mentions one can easily place the log directory outside of the data directory and set appropriate directory permissions. -- m. tharp -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: "Stephen J. Butler" on 1 Jul 2010 14:06 On Thu, Jul 1, 2010 at 12:19 PM, Michael Tharp <gxti(a)partiallystapled.com> wrote: > That said, as Martin mentions one can easily place the log directory outside > of the data directory and set appropriate directory permissions. If I can offer my $0.02, I recently solved such a problem on SuSE Linux with apache logs. I used the ACL support on ext3 to give a specific group read-only access: cd /var/log # Add an ACL for the 'www' user setfacl -m u:www:r-x apache2 setfacl -m u:www:r-- apache2/* # Modify the default ACL so that new files get 'r' for user setfacl -d -m u:www:r-- apache2 Just pointing out that this problem is solvable on systems that support ACLs w/o patching postgres. -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 1 Jul 2010 13:07 Martin Pihlak <martin.pihlak(a)gmail.com> writes: > Tom Lane wrote: >> It doesn't appear to me that this helps unless you are willing to make >> the containing director(ies) group-readable/executable as well, which is >> something we've resisted doing. > The log can be moved outside of data directory by setting "log_directory" > to an absolute path. Oh, of course. We'd need to mention that in the documentation for the log-file-permission GUC. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Martin Pihlak on 5 Jul 2010 05:58 Martin Pihlak wrote: > Attached is a patch that adds a GUC "log_file_mode" which allows to specify > the creation mode for the log files. Presently it lacks documentation, which > I'll add if the idea is generally acceptable. > Updated patch attached. regards, Martin
From: Itagaki Takahiro on 12 Jul 2010 01:57 I checked "log_file_mode GUC" patch, and found a couple of Windows-specific and translation issues. * fchmod() is not available on some platforms, including Windows. fh = fopen(filename, mode); setvbuf(fh, NULL, LBF_MODE, 0); fchmod(fileno(fh), Log_file_mode); I think umask()->fopen() is better rather than fopen()->chmod(). See codes in DoCopyTo() at commands/copy.c. * How does the file mode work on Windows? If it doesn't work, we should explain it in docs. Description for .pgpass for Windows might be a help. | http://developer.postgresql.org/pgdocs/postgres/libpq-pgpass.html | On Microsoft Windows, ... no special permissions check is made. * This message format is hard to translate. ereport(am_rotating ? LOG : FATAL, (errcode_for_file_access(), (errmsg("could not create%slog file \"%s\": %m", am_rotating ? " new " : " ", filename)))); It might look a duplication of codes, but I think this form is better because we can reuse the existing translation catalogs. if (am_rotating) ereport(FATAL, ... "could not create log file ...); else ereport(LOG, ... "could not open new log file ...); -- Itagaki Takahiro -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: [HACKERS] log files and permissions Next: [HACKERS] hello |