read the WHOLE /var/logs/system.log

Discussion in 'OS X Mavericks (10.9)' started by Bolzenheim, Nov 28, 2013.

  1. Bolzenheim macrumors newbie

    Joined:
    Nov 28, 2013
    #1
    Hi Guys

    At the moment I am programming a script which reads the /var/logs/system.log and searches for timemachine-backup messages.
    For this I need a normal user to be able to read this file but unfortunately it is not readable for a non-admin.

    A possibility would be to use "syslog" but it displays only messages which are readable by non-admin users.

    So, long story short: How can a script, run under a non-admin user, access the whole system log without sudo or stuff like this?

    Best regards
     
  2. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #2
    When I first read this post, I figured I could have a pretty quick answer - I've been reading/parsing event logs of one kind or another for a very long time now.

    But the permissions that Apple has set in /var/logs are pretty much locked down, which is going to be a problem for non-admin users.

    Everything (so far) that I've thought of require admin-level at some point.

    Change the permissions on system.log? Requires root (and might not be a permanent change anyways).

    Execute a cron job where the contents of system.log are copied to a file that a script could read? Requires root to install (plus has a bunch of other concerns associated with it).

    Perhaps if you could say what the script would be looking for and accomplishing, someone could help further.

    Also, I see some people have applied AppleScript to the Console app for logging specific messages - but I can't say if this would be helpful to you or not. Heck, I don't even know what the Console looks like when run as a non-Admin person...
     
  3. Bolzenheim thread starter macrumors newbie

    Joined:
    Nov 28, 2013
    #3
    Hi smithrh

    Many thanks for your reply.
    The script does the following grep command on the file:

    TMDATA=`grep "backupd" /var/log/system.log | grep -Eo "Backup failed with error: .*|Backup completed .*" | tail -1`

    In other words: It searches the log file for all occurencies of backup completed / failed messages and takes the last (most recent) one of it.
    With that in $TMDATA it is able to "say" if the last backup was succesfull or not which then is reported to a central server.

    It would be okay if the method would need admin-rights ONCE (for installation) but of course not every time.

    I'm beginning to think that it would be the best way to write a small C method which gains root rights (via setuid bit) and then read the file and return it to the calling script, what do you think?

    Best regards
     
  4. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #4
    How confident are you in your script? 100% sure it's safe and can't be compromised? If so setuid.
     
  5. Bolzenheim thread starter macrumors newbie

    Joined:
    Nov 28, 2013
    #5
    Hi

    No of course I can't be sure that it won't be comprimised.
    And as far as I know, OS X ignores the setuid bit on user-written scripts (at least, my short tests imply that).

    Of course, if its the only solution, I would write an extra script which only returns the content of the file to the calling script. This means the normal script can be run in non root mode.

    Best regards
     
  6. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #6
    Depends on how you set it. Who is the owner of the script? If it's not root then you won't get the effect you want. You could also look a the Authorization Services API and running a helper with escalated privileges. But then you will need an admin password at runtime.
     
  7. dean1012 macrumors regular

    Joined:
    Jul 10, 2008
    #7
    Mac supports sudo.

    In terminal:

    sudo visudo

    Then, :$

    Then, /$<enter>

    Then, i<right arrow x2><enter>

    Then type a line like the following making the appropriate replacements:

    Cmnd_Alias SYSLOG = /bin/cat /var/log/system.log
    myscriptuser ALL=(ALL) NOPASSWD: SYSLOG

    Once the above is typed (two separate lines, replacing myscriptuser appropriately), press <ESC>:wq<enter>

    This will allow myscriptuser to cat /var/log/system.log without a password. you would have to use 'sudo cat /var/log/system.log' in your script.

    You can then do what you want with the info.
     
  8. Bolzenheim thread starter macrumors newbie

    Joined:
    Nov 28, 2013
    #8
    Hi dean

    Would you mind explaining a bit to me what exactly your command does?
    Is it only setting permissions for every User to use cat as root or what does it do?

    I trief the following:

    Code:
    nano /Users/Shared/read.sh
    
    <FILECONTENT>
    
    #!/bin/sh
    echo `whoami`
    cat /var/log/system.log
    
    </FILECONTENT>
    
    sudo chown root:staff /Users/Shared/read.sh
    sudo chmod 7777 /Users/Shared/read.sh
    su noadmin
    /Users/Shared/read.sh
    
    <RESULT>
    noadmin
    cat: /var/log/system.log: Permission denied
    </RESULT>
    
    
    Of course, the user "noadmin" does not have admin rights;)
    And as you can see, the user is not set to root, despite the setuid bit is set.

    What do I do wrong?;)

    Best regards and many thanks for this many answers
     
  9. dean1012 macrumors regular

    Joined:
    Jul 10, 2008
    #9
    sudo is a program for *nix/*nux systems that allows a regular user to escalate privileges according to a set ruleset using their own password.

    For example, you can disallow any escalation at all through sudo, allow all escalation, specify if password is required or not, and even limit to specific programs only.

    In contrast, 'su' also allows privilege escalation on a shell level but requires the password of the target user and is harder to limit in scope.

    To configure the sudo ruleset, you should use the command 'visudo' which loads in a program called 'vi' (most commonly this is actually 'vim') which can be complicated for novice administrators.

    Because of this, I tried to tell you *exactly* what to type. If you do what I said exactly, it should work for you.

    My post will help you setup so 'myscriptuser' (in your case, this would be whatever user is executing the script) can run the 'cat' command without a password only on /var/log/system.log. It is very restrictive.

    Then, to use the data in your script you would just do:

    sudo cat /var/log/system.log [ | [grep,sed,....] ]
     
  10. dean1012 macrumors regular

    Joined:
    Jul 10, 2008
    #10
    Also note that setuid is actually 4, not 7 so it would be 4777 but the method I described previously would be more secure than using setuid or setting the shell script as owned by root.

    Also note that I do not believe Mac OS X allows setuid on shell scripts.
     
  11. Bolzenheim thread starter macrumors newbie

    Joined:
    Nov 28, 2013
    #11
    Hi dean

    I made the changes to the sudoers file (with nano -sorry for that;)) and fr the group staff.
    It works like a charm.
    Of course, it would be much nicer to not need to touch the file on every machine, but it's a possibility.
    Tank you!

    Best regards
     
  12. dean1012 macrumors regular

    Joined:
    Jul 10, 2008
    #12
    The solution I provided is the most elegant, secure solution I can think of.

    I would advise against using 'nano' or editing /etc/sudoers manually at all.

    'visudo' performs syntax checking when you save the file. Editing via nano or manually does not.

    If you perform a syntax error or typo in /etc/sudoers it can result in a non-usable system or removal of your administrative privileges. Proceed at your own caution.
     

Share This Page