From: Michael Tharp on
On 07/01/2010 12:56 PM, Kevin Grittner wrote:
> I just tried creating a symbolic link to the pg_log directory and
> flagging the existing logs within it to 640. As a member of the
> group I was able to list and view the contents of log files through
> the symbolic link, even though I didn't have any authority to the
> PostgreSQL data directory.
>
> That seems potentially useful to me.

Symlinks are exactly equivalent to using the target of the link. Your
permissions are probably already arranged so that you (as a group
member) can access the files. Fedora's initscript seems to deliberately
revoke group permissions from PGDATA and pg_log so I'm guessing that at
some point some things were created with some group permissions.

That said, as Martin mentions one can easily place the log directory
outside of the data directory and set appropriate directory permissions.

-- m. tharp

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: "Stephen J. Butler" on
On Thu, Jul 1, 2010 at 12:19 PM, Michael Tharp
<gxti(a)partiallystapled.com> wrote:
> That said, as Martin mentions one can easily place the log directory outside
> of the data directory and set appropriate directory permissions.

If I can offer my $0.02, I recently solved such a problem on SuSE
Linux with apache logs. I used the ACL support on ext3 to give a
specific group read-only access:

cd /var/log
# Add an ACL for the 'www' user
setfacl -m u:www:r-x apache2
setfacl -m u:www:r-- apache2/*
# Modify the default ACL so that new files get 'r' for user
setfacl -d -m u:www:r-- apache2

Just pointing out that this problem is solvable on systems that
support ACLs w/o patching postgres.

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Martin Pihlak <martin.pihlak(a)gmail.com> writes:
> Tom Lane wrote:
>> It doesn't appear to me that this helps unless you are willing to make
>> the containing director(ies) group-readable/executable as well, which is
>> something we've resisted doing.

> The log can be moved outside of data directory by setting "log_directory"
> to an absolute path.

Oh, of course. We'd need to mention that in the documentation for the
log-file-permission GUC.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Martin Pihlak on
Martin Pihlak wrote:
> Attached is a patch that adds a GUC "log_file_mode" which allows to specify
> the creation mode for the log files. Presently it lacks documentation, which
> I'll add if the idea is generally acceptable.
>

Updated patch attached.

regards,
Martin

From: Itagaki Takahiro on
I checked "log_file_mode GUC" patch, and found a couple of Windows-specific
and translation issues.

* fchmod() is not available on some platforms, including Windows.
fh = fopen(filename, mode);
setvbuf(fh, NULL, LBF_MODE, 0);
fchmod(fileno(fh), Log_file_mode);

I think umask()->fopen() is better rather than fopen()->chmod().
See codes in DoCopyTo() at commands/copy.c.

* How does the file mode work on Windows?
If it doesn't work, we should explain it in docs.
Description for .pgpass for Windows might be a help.
| http://developer.postgresql.org/pgdocs/postgres/libpq-pgpass.html
| On Microsoft Windows, ... no special permissions check is made.

* This message format is hard to translate.
ereport(am_rotating ? LOG : FATAL,
(errcode_for_file_access(),
(errmsg("could not create%slog file \"%s\": %m",
am_rotating ? " new " : " ", filename))));

It might look a duplication of codes, but I think this form is better
because we can reuse the existing translation catalogs.
if (am_rotating)
ereport(FATAL, ... "could not create log file ...);
else
ereport(LOG, ... "could not open new log file ...);

--
Itagaki Takahiro

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: [HACKERS] log files and permissions
Next: [HACKERS] hello