Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os_newsyslog_files_*_configure don't take /etc/newsyslog.d into account #351

Open
nihil-admirari opened this issue Jan 22, 2024 · 0 comments
Open

os_newsyslog_files_*_configure don't take /etc/newsyslog.d into account #351

nihil-admirari opened this issue Jan 22, 2024 · 0 comments
Assignees
@brodjieski

Comments

@nihil-admirari
Copy link
Contributor

os_newsyslog_files_owner_group_configure and os_newsyslog_files_permissions_configure get the list of files via:

/usr/bin/grep -v '^#' /etc/newsyslog.conf | /usr/bin/awk '{ print $1 }')

Files inside /etc/newsyslog.d are ignored.

Also, ownership and mode can be configured directly within newsyslog.conf files via the optional second and third columns, though it may not be a good idea since e.g. /etc/newsyslog.d/com.apple.xscertd.conf explicitly sets ownership to _ces:admin.

Suggestions

zsh globbing is used to handle log rotation, but I don't have any log-rotated files on my machine to verify.

Checking for ownership:

logfiles=$(/usr/bin/awk '!/^#/ { print $1 }' /etc/newsyslog.{conf,d/*})
own_err=("${(fu)^logfiles}"*(N^u[root],^g[wheel]))
echo "${#own_err}"

Fixing ownership:

logfiles=$(/usr/bin/awk '!/^#/ { print $1 }' /etc/newsyslog.{conf,d/*})
/usr/sbin/chown root:wheel "${(fu)^logfiles}"*(N^u[root],^g[wheel])

Checking for permissions:

logfiles=$(/usr/bin/awk '!/^#/ { print $1 }' /etc/newsyslog.{conf,d/*})
perm_err=("${(fu)^logfiles}"*(N^f0640))
echo "${#perm_err}"

Fixing permissions:

logfiles=$(/usr/bin/awk '!/^#/ { print $1 }' /etc/newsyslog.{conf,d/*})
/bin/chmod 640 "${(fu)^logfiles}"*(N^f0640)

Checking ownership misconfiguration:

/usr/bin/awk -v err=0 '
    !/^#/ {
        if ($2 ~ /^[[:digit:]]+$/ || $2 != "root:wheel") {
            ++err
        }
    }
    END { print err }
' /etc/newsyslog.{conf,d/*}

Fixing ownership misconfiguration:

/usr/bin/sed -Ei 's,^([^#][^[:space:]]+[[:space:]]+)([^[:space:]]+:[^[:space:]]+)?,\1root:wheel ,' /etc/newsyslog.{conf,d/*}

Checking permissions misconfiguration:

/usr/bin/awk -v err=0 '
    !/^#/ {
        i = $2 ~ /^[[:digit:]]+$/ ? 2 : 3
        if ($i != "640") { ++err }
    }
    END { print err }
' /etc/newsyslog.{conf,d/*}

Fixing permissions misconfiguration:

/usr/bin/sed -Ei 's,^([^#][^[:space:]]+[[:space:]]+([^[:space:]]+:[^[:space:]]+)?[[:space:]]+)[[:digit:]]+,\1640,' /etc/newsyslog.{conf,d/*}

Changes can be inspected by running diff in a loop:

for f in /etc/newsyslog.{conf,d/*}; do
    diff --color=always --unified "$f" <(/usr/bin/sed -E 'SED COMMAND GOES HERE' "$f")
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brodjieski brodjieski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brodjieski @nihil-admirari