Granting Non-Root User Access Only to /var/log Directory: A How-To Guide

In the Linux operating system, the /var/log directory is a crucial location where system and application logs are stored. For security reasons, access to this directory is usually restricted to the root user. However, there may be situations where a non-root user needs access to these logs for monitoring or troubleshooting purposes. This guide will walk you through the process of granting a non-root user access only to the /var/log directory, while maintaining the security of other directories.

Understanding the Basics

Before we start, it’s important to understand the basics of Linux permissions and groups. In Linux, each file and directory has an owner and a group associated with it. The permissions for the owner, group, and others (everyone else) are defined separately.

For example, the permission 750 on a directory means the owner has read, write, and execute permissions (7), the group has read and execute permissions (5), and others have no permissions (0).

Step 1: Creating a New Group

The first step is to create a new group that will have access to the /var/log directory. We’ll call this group logusers. You can create this group using the groupadd command:

sudo groupadd logusers

The groupadd command is used to create a new group, and the sudo prefix runs the command with root privileges.

Step 2: Adding the Non-Root User to the Group

Next, we need to add the non-root user to the logusers group. This can be done with the usermod command:

sudo usermod -aG logusers <USER>

In this command, -aG adds the user to the supplementary group, and <USER> should be replaced with the username of the non-root user.

Step 3: Changing Ownership of /var/log Directory

Now, we need to change the ownership of the /var/log directory to the root user and the logusers group. This can be accomplished with the chown command:

sudo chown root:logusers /var/log

The chown command is used to change the owner and group of a file or directory. Here, root:logusers sets the owner to root and the group to logusers.

Step 4: Setting Permissions for /var/log Directory

The next step is to set the permissions for the /var/log directory to allow read and execute access for the owner and group, and no access for others. This can be done with the chmod command:

sudo chmod 750 /var/log

The chmod command is used to change the permissions of a file or directory. As mentioned earlier, 750 sets the permissions to read, write, and execute for the owner, read and execute for the group, and no permissions for others.

Step 5: Setting the setgid Permission

The setgid permission ensures that new files created within the /var/log directory inherit the group ownership. This can be set with the chmod command as well:

sudo chmod g+s /var/log

Here, g+s sets the setgid permission on the directory.

Step 6: Modifying Permissions of Log Files

Finally, we need to modify the permissions of the log files within /var/log to allow read access for the logusers group. This can be done with the chmod command:

sudo chmod 640 /var/log/*

Here, 640 sets the permissions to read and write for the owner, read for the group, and no permissions for others.

Conclusion

By following these steps, you can grant a non-root user access only to the /var/log directory. This can be useful in situations where a user needs to monitor system logs but should not have access to other sensitive directories.

Remember, it’s important to always consider the security implications of granting access to system directories. Always ensure that sensitive files have appropriate permissions and are only readable by root.

For more information on Linux permissions and groups, you can refer to the Linux Documentation Project.