From: Martin Pihlak on 1 Jul 2010 12:15 Martin Pihlak wrote: > Attached is a patch that adds a GUC "log_file_mode" which allows to specify > the creation mode for the log files. Presently it lacks documentation, which > I'll add if the idea is generally acceptable. > Now it really is attached. regards, Martin
From: Tom Lane on 1 Jul 2010 12:46 Martin Pihlak <martin.pihlak(a)gmail.com> writes: > It'd be convenient if the log files would have group read access. Then we could > make all the DBA or monitoring users members of the postgres group and they'd > have direct access to the logs. However, as the "group read" is not likely a > universally correct setting, the creation mode needs to be configurable. It doesn't appear to me that this helps unless you are willing to make the containing director(ies) group-readable/executable as well, which is something we've resisted doing. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: "Kevin Grittner" on 1 Jul 2010 12:56 Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > Martin Pihlak <martin.pihlak(a)gmail.com> writes: >> It'd be convenient if the log files would have group read access. >> Then we could make all the DBA or monitoring users members of the >> postgres group and they'd have direct access to the logs. >> However, as the "group read" is not likely a universally correct >> setting, the creation mode needs to be configurable. > > It doesn't appear to me that this helps unless you are willing to > make the containing director(ies) group-readable/executable as > well, which is something we've resisted doing. I just tried creating a symbolic link to the pg_log directory and flagging the existing logs within it to 640. As a member of the group I was able to list and view the contents of log files through the symbolic link, even though I didn't have any authority to the PostgreSQL data directory. That seems potentially useful to me. -Kevin -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Stephen Frost on 1 Jul 2010 13:03 * Tom Lane (tgl(a)sss.pgh.pa.us) wrote: > Martin Pihlak <martin.pihlak(a)gmail.com> writes: > > It'd be convenient if the log files would have group read access. Then we could > > make all the DBA or monitoring users members of the postgres group and they'd > > have direct access to the logs. However, as the "group read" is not likely a > > universally correct setting, the creation mode needs to be configurable. > > It doesn't appear to me that this helps unless you are willing to make > the containing director(ies) group-readable/executable as well, which is > something we've resisted doing. Perhaps we should have a umask-like GUC instead of this? In the end, I agree with and completely understand the OP's complaint. I havn't run into this issue much since, on Debian systems, we use logrotate to move log files around and use the copy/truncate method there, so permissions end up being preserved once an admin has decided to change them. Might be something to consider, but, really, we should give the admin some flexibility here, even if the default is the same as current behaviour. I'll refrain from bringing up the fact that we're concerned about log files having group permissions by default, but we ship with "trust" in pg_hba.conf... Thanks, Stephen
From: Martin Pihlak on 1 Jul 2010 12:58
Tom Lane wrote: > It doesn't appear to me that this helps unless you are willing to make > the containing director(ies) group-readable/executable as well, which is > something we've resisted doing. > The log can be moved outside of data directory by setting "log_directory" to an absolute path. Then the permissions for the log directory can be arbitrary as the postmaster is only strict about permissions on data directory. regards, Martin -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |