Setting permissions for log files and directories

When you specify the -c start option, syslogd creates log files and directories dynamically. By default, directories are created with the permissions value 0700, which means that only the owner can read, write, and list the contents of the directory. Similarly, if syslogd needs to create a file, the default permissions value is 600, which again means that only the owner can read and write to the file. Because a user ID with UID 0 must run syslogd, the owner is always a superuser. To change the default permissions used by syslogd, use either the -F or the -D start option to set the global default permissions for files and directories, respectively.

Tip: The -F and -D start options have no effect on files or directories that already exist.

You can also use the -F and -D configuration options to override global defaults for individual syslogd rules. Specify -F or -D (or both) with octal values following the file name. For example:

*.err      /var/log/%Y/%m/%d/errors -F 640 -D 644

The file permission bits, whether provided on the rule or as global defaults, are modified by the syslogd process file creation mask (umask), and then used to set the file permission bits of a file that is being created.

If you are considering allowing users other than a superuser to have access to log files, before changing the syslogd default permissions for files and directories, be sure to consider the following options:

  • Before starting syslogd, create the log file (and containing directory if necessary) with permissions and ownership that allows the other users to have access. If a single user needs access, you can make the file user ID (UID) match that of the user ID that needs access. If multiple users need access, set a new or existing group ID (GID) as the file's GID, and set the permissions to allow members of the group to have read access, write access, or both. The file or directory UID and GID can be set with the chown command. Be sure to give the syslogd user ID write access to the log files. This technique is useful only if the files are not being created dynamically by syslogd.
  • If you are not using file access control lists (ACLs), files and directories created by syslogd have the owner UID 0. By default, the owning GID is set to that of the parent directory. However, if the FILE.GROUPOWNER.SETGID profile exists in the UNIXPRIV class, the owning GID is determined by the set-GID bit of the parent directory, as follows:
    • If the set-GID bit of the parent directory is on, the owning GID is set to that of the parent directory.
    • If the set-GID bit of the parent directory is off, the owning GID is set to the effective GID of the process.

    When there are no file access control lists, the only way to manage log files with different access requirements that must be accessed by different groups of users is to create the containing directories with the appropriate GIDs before starting syslogd, and let syslogd dynamically create the log files in the appropriate directories. The log files then inherit the GID of the directory, if the directory has the set-GID bit on.

  • A third way to provide access to log files for different users or groups of users is to use file access control lists. For information about setting file access control lists, see the setfacl command in z/OS UNIX System Services Command Reference. The ACLs for dynamically created directories and files can be inherited from defaults set on the parent directory. When using this method, be sure that the syslogd user ID continues to have write access to the log files.