1

For an application I want to store specific data on a data recovery server. On the application and DR server I created a user test1 and copied the public key from application server user test1 to DR user test1's authorized_keys file. User test1 is added to the wheel group.

I set permission on drwxr-xr-x /var/log

I then created a cron job to rsync the data from the application server to the DR server:

sudo rsync -avz -e "ssh -i /home/test1/.ssh/my-ssh-key" /var/nfsshare/ [email protected]:/var/nfsshare > /var/log/nfs_cron-$(date +\%m-\%d-\%Y).log

When the cron executes I get the following error:

/bin/sh: /var/log/nfs_cron-08-26-2019.log: Permission denied

However, when I try to create a file manually it creates the file successfully.

sudo touch /var/log/test.txt

which creates the file as:

-rwxr-xr-x.  1 test1 test1 0 Aug 26 12:28 test.txt

Any thoughts?

Thanks!

Improve this question

2 Answers 2

Reset to default
4

You can create a directory and give permission to this user or you can use redirection/tee to write the log file.

For example using ACL: mkdir -p /var/log/my_app/ setfacl -Rm g:MY_GROUP_ID:rwx /var/log/my_app/

The setfacl command is to setup ACL.

-R -> It's to be recursive and setup the ACL to all subfolder

-m -> It's to modify the ACL

goru -> It's to define the group or user

rwx -> It's the permission to setup for the group/user

http://tldp.org/LDP/abs/html/abs-guide.html#SETFACLREF

Another way is using redirection/tee. With redirection, you can "filter" what you want log into the file. For example:

Log and/or concatenate just in case of success

ls -lZ /tmp/myfile >> /var/log/mylog

Log everything (Sending stderr to stdout and writing into the same file)

ls -lZ /tmp/myfile >> /var/log/mylog 2>&1

or just use &>

ls -lZ /tmp/myfile &> /var/log/mylog

If you don't have permission to write on the destination file/directory, you can use tee to write. For example, appending (-a) and writing into the file /var/log/mylog.

ls -lZ /tmp/myfile | sudo tee -a /var/log/mylog

You can find some other examples and a better explanation in here:

https://www.tldp.org/LDP/abs/html/io-redirection.html

https://wiki.bash-hackers.org/howto/redirection_tutorial

https://wiki.bash-hackers.org/syntax/redirection

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

The problem is that the redirection is done by the user calling sudo, rather than by the sudo itself.

cmd > file

creates file before launching cmd, which means in your case that the regular user is trying to create the log, and then pass its filehandle to sudo to write to.

To confirm my theory, try this:

sudo echo test > /var/log/test.txt

and you should get the same error message.

You have to pass the filename to the command so that it is created by the program called by sudo. In your case, you could accomplish this by wrapping the whole thing into a script, for example.

Improve this answer

1 Comment

Hi @joanis, I tried your recommendation and yes I got the same error. I have an additional, similar cronjob to run. So, I guess I will create a file for each and reference the files in the cronjob. Thank you for your info.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.