Re: log files and permissions

Michael Tharp <gxti@partiallystapled.com>

From: Michael Tharp <gxti@partiallystapled.com>
To: Kevin Grittner <Kevin.Grittner@wicourts.gov>
Cc: Martin Pihlak <martin.pihlak@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-07-01T17:19:16Z
Lists: pgsql-hackers
On 07/01/2010 12:56 PM, Kevin Grittner wrote:
> I just tried creating a symbolic link to the pg_log directory and
> flagging the existing logs within it to 640.  As a member of the
> group I was able to list and view the contents of log files through
> the symbolic link, even though I didn't have any authority to the
> PostgreSQL data directory.
>
> That seems potentially useful to me.

Symlinks are exactly equivalent to using the target of the link. Your 
permissions are probably already arranged so that you (as a group 
member) can access the files. Fedora's initscript seems to deliberately 
revoke group permissions from PGDATA and pg_log so I'm guessing that at 
some point some things were created with some group permissions.

That said, as Martin mentions one can easily place the log directory 
outside of the data directory and set appropriate directory permissions.

-- m. tharp