#15 /var/log/watchdog global read permissions

[Craig McQueen]

The watchdog daemon creates /var/log/watchdog directory with permissions 0750, so denying global read permissions. But in my system, I want the directory and its files to be globally readable.

Wouldn't it be better to just use 0777 permissions, and rely on the current umask value to determine system permissions policy.

[Paul Crawford]

As a general policy, no.
The choice of permissions for log files (as a quick look at /var/log will show you) has several approaches, but often they are restricted in access to root (or members of the administrative group) as they can reveal information about other users and/or system settings that a potential attacker might make use of. This might not matter much in an embedded application, but is an serious issue on a multi-user server.
For example, some scripts or log entries might reveal passwords or machine addresses that are sensitive, but that the implementer either could not avoid or did not think about.
So I think it should be left at 0750, and the administrator can manually change it if needed (or script it if many machines to do). It might be better if group ownership was changed to 'adm' on the typical Ubuntu machines I am familiar with so you don't have to 'su' to read the files from such an account, however, I don't know enough about the multiple-distribution support or build processes to know how to safely make such a change.

[Craig McQueen]

Okay, it's not the way I'd do it, but I can live with that. I'll work around what watchdog daemon does.

[Paul Crawford]

I don't think the mkdir() call will change existing permissions, so you can either change it after installing & running the watchdog, or create it before with the permissions you want.

Still, it sounds like this can be closed.