Sometimes it is useful for a programme to pass its permissions along to programmes it calls — this is common with scripts which call system binaries.
Consider syslog rotation, often called each night as a cron job. In general, it should be possibly to append to syslog logs, only:
logconf -A -o /var/log -j APPEND
but /etc/cron.daily/logrotate requires WRITE access
lidsconf -A -s /etc/cron.daily/logrotate -o /var/log -j WRITE
After adding this ACL, compiling and reloading the configuration, a call
to this script fails:
error: failed to rename /var/log/exim4/mainlog to /var/log/exim4/mainlog.1: Operation not permitted
error: error creating /var/log/exim4/mainlog: Operation not permitted
.
.
A look at the script reveals why:
#!/bin/sh
test -x /usr/sbin/logrotate || exit 0
/usr/sbin/logrotate /etc/logrotate.conf
The script is simply a wrapper for /usr/sbin/logrotate. We
want the latter to inherit WRITE permission from the script.
Therefor we use this ACL instead
lidsconf -A -s /etc/cron.daily/logrotate -o /var/log -i 1 -j WRITE
The -i 1 option means that /etc/cron.daily/logrotate's children inherit its ACLs, but not its grandchildren — use -i 2 for that; use -i <n> for n levels of inheritance. For unlimited inheritance specify -i -1.
| ...previous | up (conts) | next... |