Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

read the WHOLE /var/logs/system.log

B

Bolzenheim

macrumors newbie
Original poster
Nov 28, 2013
11
0
Hi Guys

At the moment I am programming a script which reads the /var/logs/system.log and searches for timemachine-backup messages.
For this I need a normal user to be able to read this file but unfortunately it is not readable for a non-admin.

A possibility would be to use "syslog" but it displays only messages which are readable by non-admin users.

So, long story short: How can a script, run under a non-admin user, access the whole system log without sudo or stuff like this?

Best regards
 
When I first read this post, I figured I could have a pretty quick answer - I've been reading/parsing event logs of one kind or another for a very long time now.

But the permissions that Apple has set in /var/logs are pretty much locked down, which is going to be a problem for non-admin users.

Everything (so far) that I've thought of require admin-level at some point.

Change the permissions on system.log? Requires root (and might not be a permanent change anyways).

Execute a cron job where the contents of system.log are copied to a file that a script could read? Requires root to install (plus has a bunch of other concerns associated with it).

Perhaps if you could say what the script would be looking for and accomplishing, someone could help further.

Also, I see some people have applied AppleScript to the Console app for logging specific messages - but I can't say if this would be helpful to you or not. Heck, I don't even know what the Console looks like when run as a non-Admin person...
 
Hi smithrh

Many thanks for your reply.
The script does the following grep command on the file:

TMDATA=`grep "backupd" /var/log/system.log | grep -Eo "Backup failed with error: .*|Backup completed .*" | tail -1`

In other words: It searches the log file for all occurencies of backup completed / failed messages and takes the last (most recent) one of it.
With that in $TMDATA it is able to "say" if the last backup was succesfull or not which then is reported to a central server.

It would be okay if the method would need admin-rights ONCE (for installation) but of course not every time.

I'm beginning to think that it would be the best way to write a small C method which gains root rights (via setuid bit) and then read the file and return it to the calling script, what do you think?

Best regards
 
Hi

No of course I can't be sure that it won't be comprimised.
And as far as I know, OS X ignores the setuid bit on user-written scripts (at least, my short tests imply that).

Of course, if its the only solution, I would write an extra script which only returns the content of the file to the calling script. This means the normal script can be run in non root mode.

Best regards
 
Bolzenheim said:
Hi

No of course I can't be sure that it won't be comprimised.
And as far as I know, OS X ignores the setuid bit on user-written scripts (at least, my short tests imply that).

Of course, if its the only solution, I would write an extra script which only returns the content of the file to the calling script. This means the normal script can be run in non root mode.

Best regards
Click to expand...

Depends on how you set it. Who is the owner of the script? If it's not root then you won't get the effect you want. You could also look a the Authorization Services API and running a helper with escalated privileges. But then you will need an admin password at runtime.
 
Mac supports sudo.

In terminal:

sudo visudo

Then, :$

Then, /$<enter>

Then, i<right arrow x2><enter>

Then type a line like the following making the appropriate replacements:

Cmnd_Alias SYSLOG = /bin/cat /var/log/system.log
myscriptuser ALL=(ALL) NOPASSWD: SYSLOG

Once the above is typed (two separate lines, replacing myscriptuser appropriately), press <ESC>:wq<enter>

This will allow myscriptuser to cat /var/log/system.log without a password. you would have to use 'sudo cat /var/log/system.log' in your script.

You can then do what you want with the info.
 
Hi dean

Would you mind explaining a bit to me what exactly your command does?
Is it only setting permissions for every User to use cat as root or what does it do?

I trief the following:

Code: 
nano /Users/Shared/read.sh

<FILECONTENT>

#!/bin/sh
echo `whoami`
cat /var/log/system.log

</FILECONTENT>

sudo chown root:staff /Users/Shared/read.sh
sudo chmod 7777 /Users/Shared/read.sh
su noadmin
/Users/Shared/read.sh

<RESULT>
noadmin
cat: /var/log/system.log: Permission denied
</RESULT>

Of course, the user "noadmin" does not have admin rights;)
And as you can see, the user is not set to root, despite the setuid bit is set.

What do I do wrong?;)

Best regards and many thanks for this many answers
 
sudo is a program for *nix/*nux systems that allows a regular user to escalate privileges according to a set ruleset using their own password.

For example, you can disallow any escalation at all through sudo, allow all escalation, specify if password is required or not, and even limit to specific programs only.

In contrast, 'su' also allows privilege escalation on a shell level but requires the password of the target user and is harder to limit in scope.

To configure the sudo ruleset, you should use the command 'visudo' which loads in a program called 'vi' (most commonly this is actually 'vim') which can be complicated for novice administrators.

Because of this, I tried to tell you *exactly* what to type. If you do what I said exactly, it should work for you.

My post will help you setup so 'myscriptuser' (in your case, this would be whatever user is executing the script) can run the 'cat' command without a password only on /var/log/system.log. It is very restrictive.

Then, to use the data in your script you would just do:

sudo cat /var/log/system.log [ | [grep,sed,....] ]
 
Also note that setuid is actually 4, not 7 so it would be 4777 but the method I described previously would be more secure than using setuid or setting the shell script as owned by root.

Also note that I do not believe Mac OS X allows setuid on shell scripts.
 
Hi dean

I made the changes to the sudoers file (with nano -sorry for that;)) and fr the group staff.
It works like a charm.
Of course, it would be much nicer to not need to touch the file on every machine, but it's a possibility.
Tank you!

Best regards
 
The solution I provided is the most elegant, secure solution I can think of.

I would advise against using 'nano' or editing /etc/sudoers manually at all.

'visudo' performs syntax checking when you save the file. Editing via nano or manually does not.

If you perform a syntax error or typo in /etc/sudoers it can result in a non-usable system or removal of your administrative privileges. Proceed at your own caution.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back