CentOS - May 2019 - Permissions on nginx logs

I will give 770 a try.  Nobody going to flip now that a single ?7? has been
posted?

> On May 6, 2019, at 12:06 AM, Simon Matter via CentOS <centos at
centos.org> wrote:
> 
> What's the access mode of it? Should probably be mode 770 then.


Cheers, Bee

On May 6, 2019, at 10:14 AM, Bee.Lists <bee.lists at gmail.com>
wrote:
> 
> I will give 770 a try.
Try 750 first.  You don?t need write access to do what you?re asking.

Also, the group membership change won?t take effect until you log out and back
in.
>  Nobody going to flip now that a single ?7? has been posted?
There is a clear analogue to herd immunity here:

    https://en.wikipedia.org/wiki/Herd_immunity

When sysadmins of Internet-attached hosts do things to make those hosts less
secure, that makes them easier to take over, which means the botnets and stolen
databases get bigger, which puts the rest of us on the Internet at greater risk.

So yeah, I think the rest of us do have some say in how you manage your systems?
security.  Not total, of course, but you should not dismiss good advice as
?flipping.?

In this particular case, the risk is that there is some credential or other
sensitive info logged by nginx which is now easier for an attacker to get at. 
Those logs are hidden away for that reason and more.

How big that risk is only you can say at this point.  If you?ve got a purely
static web site, for instance, there?s probably nothing important in that log,
but if it?s acting as a reverse proxy for a back-end service, nginx might be
logging passwords and such.

> On May 6, 2019, at 10:14 AM, Bee.Lists <bee.lists at gmail.com>
wrote:
>>
>> I will give 770 a try.
>
> Try 750 first.  You don?t need write access to do what you?re asking.
>
> Also, the group membership change won?t take effect until you log out and
> back in.
Thanks to correct me, both things are true, if he only wants to read logs
there, the 750 is sufficient of course.

Regards,
Simon