<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;}
p
        {margin-right:0in;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.EmailStyle18
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Thanks for all the replies.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>By the way the reason I said don’t
say “because it isn’t any of their business” is because of
politics. While I would love to say that (because it is the first thing
that occurred to me) I knew if that was the only reason provided I would be
instructed to give them access.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>As an FYI: The reason this came up
is because my coworker made the mistake of telling the DBAs that he’d
seen a message about one of their applications doing a core dump.
Rather than going and looking at Oracle logs to determine what had occurred and
why they of course wanted immediate access to our logs in perpetuity. I don’t
agree that there would be “no” value in giving them access but do
believe that most things that would require access to messages should require
them to engage System Admins. That is to say the downside to me seems
worse than the upside. Part of our discussion with our boss yesterday
included the fact that DBAs the world over always want to blame the OS or the
hardware rather than troubleshoot the DB and applications and in our view this
request was a part of that – they could see a message and ask us to
research it rather than troubleshoot the issue they are having that made them
look at the log in the first place. </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Another reason I gave our boss when we
discussed this yesterday was that if we had to reconfigure syslogd to insure
that security related items never made it to messages then it would require us
admins to review multiple logs rather than see things in a linear fashion in a
single log. (Of course there already ARE other logs that we look at for
various purposes but there’s nothing like a /var/log/messages file with
timestamps for quick and dirty check into system issues.) This
seemed to make an impact on him so I mention for posterity if someone else
needs reasons in the future.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
ale-bounces@ale.org [mailto:ale-bounces@ale.org] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Jim Kinney<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, April 08, 2008
10:23 PM<br>
<b><span style='font-weight:bold'>To:</span></b> ale@ale.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [ale] Any reason not
to open read permissions to/var/log/messages?</span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Well, there should be
nothing going into /var/log/messages pertaining to anything a DBA has perms to
resolve anyway.<br>
<br>
(I resisted the urge to scream "because it ISN'T any of their
business"!)<br>
<br>
Messages has connectivity data. If connections to the system are a problem,
that is not a DBA issue. It's a sysadmin issue. <br>
<br>
Others have discussed the accidental password as username issue and that is
ammo enough to bar all non-root-access users from ever gaining access to most
of /var/log. There is a reason why most database systems have their own log
file process and location.<br>
<br>
Lastly, the warm and fuzzy reason, it encourages close collaboration between
the DBA and systems people.<br>
<br>
Nah! Just kidding. The Sys Admins all know the DBA's are mostly one trick bozos
who coldn't type up a shell script with a book and a coach and the DBA think
the admons are a bunch of hygiene challenged smug SOB's who just get in the way
of their glory moment.<br>
<br>
:-)</span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>2008/4/8 Jeff Lightner <<a href="mailto:jlightner@water.com">jlightner@water.com</a>>:</span></font></p>
<div>
<div>
<p><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>/var/log/messages
is currently only read/write for root with no permissions for anyone else.</span></font></p>
<p><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Other
than</span></font> <font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>"none of their business" can anyone tell me any
reason not to allow DBAs the ability to read the file (i.e. change it to be
read</span></font> <font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>for group and other)?</span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>----------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span></font></p>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br clear=all>
<br>
-- <br>
-- <br>
James P. Kinney III </span></font></p>
</div>
</body>
</html>