Join Log in
Score:0
beekeeper avatar Ubuntu

Call for tail to read /var/log/syslog in a script results in "Permission Denied" in syslog

zw flag
beekeeper

This script runs when a user connects to my openvpn server using client-connect. When ran, it should check the most recent 50 log lines in syslog to grab the name of the profile that connected.

The issue I am running into, is when the script tries to read from syslog using tail, it get denied do to insufficient permissions. Here are the permissions of the script itself, plus the owner, myuser

ls -l /etc/openvpn/myscript.sh
-rwxr-xr-x 1 myuser adm 1274

Running groups myuser produces myuser : adm sudo so myuser is in adm and should have to proper permissions to read /var/log/syslog.

I've added myuser ALL=(ALL) NOPASSWD: /etc/openvpn/myscript.sh to the sudoers file, for when I had sudo tail in my script. This didn't change anything.

What else could be blocking this script from accessing /var/log/syslog?

Edit: Adding a sanitized version of the script.

#!/bin/bash

\# Set the path to the OpenVPN log file
LOG_FILE=/var/log/syslog

\# Set the email settings
SMTP_SERVER="smtp server here"
SMTP_PORT="xxx"
FROM_ADDRESS="fromMe@mail.com"
TO_ADDRESS="toMe@mail.com"
SUBJECT="Alert: OpenVPN Connection Established"
BODY1="A client has connected to the OpenVPN server using the profile: \""
BODY2="\". The source IP is: "
BODY3=". If you have not recently connected to the OpenVPN server from this IP, please remove the profile ASAP."


sendEmail() {
    logger "Starting email send.."
    # Get the last line of the OpenVPN log file
    LAST_LINE=$(sudo -u myuser tail -n 50 /var/log/syslog | grep -m 1 "Peer Connection Initiated")

    logger "Outside the if"
    logger "Last Line Contents --> $LAST_LINE"
    # Check if the last line of the log file contains "Peer Connection Initiated"
    if echo "$LAST_LINE" | grep -q "Peer Connection Initiated"; then
        logger "Inside the if"
        #extract profile name from brackets in string
        IP=$(echo "$LAST_LINE" | cut -d "]" -f4 | cut -d ":" -f1)
        PROFILE=$(echo "$LAST_LINE" | cut -d "]" -f2 | cut -d "[" -f2)
        BODY0="$BODY1$PROFILE$BODY2$IP$BODY3"
        # If the last line contains the string, send an email notification
        msmtp -a default $TO_ADDRESS <<EOF
From: $FROM_ADDRESS
To: $TO_ADDRESS
Subject: $SUBJECT

$BODY0
EOF

    fi
}

sendEmail

It's definitely not the cleanest script I'm sure as I worked with ChatGPT to create it. But hopefully this can help.

196
0 + 3
Artur Meinild avatar
vn flag
Artur Meinild
This isn't how permissions really work. The user running the script needs to have the proper permissions to read `/var/log/syslog` - else you need to run the entire script with `sudo`, and add `ALL=(ALL) NOPASSWD: /etc/openvpn/myscript.sh` to sudoers file for all the users who need this.
2
Reply
beekeeper avatar
zw flag
beekeeper
I've posted the script. I should note that when I do `sudo sh myscript.sh` with myuser, it runs and works perfectly. It's only when the script is run by openvpn, does it throw permission errors.
0
Reply
waltinator avatar
it flag
waltinator
__1.__ `/var/log/syslog` is no longer the only place things are logged. `journalctl` is the better, modern replacement. Read `man journalctl`, add the user to the `systemd-journal` group (`man adduser`), and your task gets simpler. __2.__ Always paste your script into `https://shellcheck.net`, a syntax checker, or install `shellcheck` locally. Make using `shellcheck` part of your development process.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.