Linux中目录的访问权限
[英]Access permissions for directory in Linux
问题描述
I have a programm which creates log files in web-server directory (/var/www/log). 
我有一个在Web服务器目录(/ var / www / log)中创建日志文件的程序。 Every day it generates one new log file. 每天都会生成一个新的日志文件。 I've set access permissions for this directory to 777 我已将此目录的访问权限设置为777
chmod 777 -R /var/www/log
But when system generates log file for new day, it doesn't have access permissions 777. I have to do it manually again. 但是,当系统为新的一天生成日志文件时,它没有访问权限777。我必须再次手动进行操作。 How can I correctly set permissions for directory? 如何正确设置目录权限? All files in this directory must have 777 automatically. 此目录中的所有文件必须自动具有777。
1 个解决方案
解决方案1
0 2014-04-23 13:11:04
- It is a very bad idea to have files executable which don't need to be: it is a possible security risk, and not a small one. 具有不需要执行的可执行文件是一个非常糟糕的主意:这是可能的安全风险,而不是很小的风险。 in your case, some files owned by root would be writable to the public. 在您的情况下,root用户拥有的某些文件将是可写的。 It is quite easy to modify them as to run as root (yes, you can make ANY file behave as a program under Linux)for everybody who has write permissions on that file. 对于拥有对该文件写权限的每个人,将它们修改为以root用户身份运行都是非常容易的(是的,您可以使ANY文件在Linux下作为程序运行)。 As twalberg pointed out: this is a Really Bad Idea™ 正如twalberg所指出的:这是一个“ 真正的坏主意”
- Do not write log files directly. 不要直接写日志文件。 It makes the life of the system administrator unnecessarily hard. 这使系统管理员的工作变得不必要。 Use
sysloginstead.请改用syslog。 Every programming language has the option to log to syslog.每种编程语言都可以选择登录到syslog。 Reason behind that: it could very well be and often happens that when companies reach a certain size, they use a centralized syslog server. 其背后的原因:很可能并且经常发生这样的情况:当公司达到一定规模时,他们使用集中式系统日志服务器。 When every package behaves nicely, all which has to be done is to change one configuration file and all the log entries are send to that dedicated syslog server. 当每个程序包运行良好时,所有要做的就是更改一个配置文件,并将所有日志条目发送到该专用syslog服务器。 Or the admin might want to change the location a log file is written to, for example from /var/www/log to /var/log/www. 或者管理员可能想要将写入日志文件的位置更改为例如,从/ var / www / log更改为/ var / log / www。 One line in a syslogd.conf, but unpredictable amount of lines when log files are written directly. syslogd.conf中的一行,但是直接写入日志文件时的行数无法预测。 Writing log files directly may be a nice fall back, but doing so by default is bad practice. 直接写日志文件可能是一个不错的选择,但是默认情况下这样做是不好的做法。 - In case you run a software not written by you but not native to your linux distribution, you could start it as root and make it drop it's privileges to a dedicated user for this software using the
runuserorsudocommands.如果您运行的不是您自己编写的软件,也不是您的Linux发行版本身不是本机的软件,则可以使用runuser或sudo命令以root身份启动该软件,runuser其特权授予该软件的专用用户。 This dedicated user could have write access to the log files.该专用用户可能具有对日志文件的写访问权。 This still is a hack. 这仍然是一个hack。 A service should be able to run as user nobody. 服务应该能够以nobody用户身份运行。
In general, I do not understand why all users must have access to all log files. 通常,我不明白为什么所有用户都必须有权访问所有日志文件。 Please elaborate that. 请详细说明。
For completeness: 为了完整性:
What most likely happens is that logrotate kicks in. It is a tool compresses old and deletes outdated log files and creates new ones based on what is configured in /etc/logrotate.conf and files included there. 最有可能发生的是logrotate启动。它是一个压缩旧工具,并删除过时的日志文件,并根据/etc/logrotate.conf配置的内容以及其中包含的文件创建新的日志文件。 Otherwise your server would run out of space after a while. 否则,您的服务器将在一段时间后耗尽空间。 You can either change the configuration of logrotate or 您可以更改logrotate的配置,也可以更改
DO NOT DO THE FOLLOWING 请勿进行以下操作
You could add a chmod 0777 -R /var/www/log either to the crontab root or the various system crontabs. 您可以将chmod 0777 -R /var/www/log到crontab根目录或各种系统crontabs。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.