logdir should have same permissions as cache_root #91
Comments
|
See quattor/CAF#100 |
|
This is actually harder than expected. The cache_root permissions are derived from the CCM configfile, but there is no relation between @ned21 toughts? |
|
I think it's best to make a configuration setting in ncm-ncd.conf, logperms, or similar (logfilemode?) and then default to owner only. Template validation can then be used to check that ncm-ncd log file modes are compatible with ccm config. Did we agree verbose logging would be on or off by default? What is the current log perms for ncm-ncd? |
|
@ned21 ccm.conf has a group_readable setting with group name and a world_reable boolean. not sure how we can check that against a single ncm-ncd.conf entry. current permissions are 644. verbose logging will be on if #88 gets merged; that's why i consider this a blocker. (verbose logging is really nice, we've rolled it out on some of our test boxes already) |
|
I would set it on the logfiles since that's then an easy switch to make via a config option? Handling world-readable is straight-forward (check world_readable boolean) but I can see how group_readable gets trickier. We only need world_readable so could live with that for now -- do you need group_readable? Can you clone the config from ccm and then use a template to check that the ncm and ccm configs are the same? i.e. if one has world-readable then the other too and if one has group_readable the value for both must be the same? |
|
setting it on th elogfiles is actually harder, since i would use the same config parameters as ccm i'm not sure the schema can set defaults like that. but an admin can ofcourse (and if the default on the logdir is perm 700 owner root, i see not much harm). |
To prevent info leakage from file diffs due to verbose_logfile
The text was updated successfully, but these errors were encountered: