Created an app on the deployment server which is used to tell the Universal Forwarder which directories and logs to monitor. There is no issue with this aspect, the logs are being monitored as expected.
What I would like to do is setup permissions on the Universal Forwarder so that other groups can read/write to the directories that are created by the UF.
- Used RPM to install to
/opt/splunkforwarder
splunk:splunkis used to own the files and run the servicesetgid is configured on /opt/splunkforwarderSetup File ACL permissions along with some defaults
# file: opt/splunkforwarder/
owner: splunk
group: splunk
flags: -s-
user::rwx
group::rwx
group:splunk:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x
However when an app is deployed to the UF, the mask is not set on the ACL stripping the newly created directory of the group permissions.
Access: (2700/drwx--S---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)
# file: myapp/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx #effective:---
group:splunk:rwx #effective:---
mask::---
other::---
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x
Logging in interactively or non-interactive, the directories is created with the expected permissions.
Access: (2775/drwxrwsr-x) Uid: ( 205/ splunk) Gid: ( 205/ splunk)
# file: test/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx
group:splunk:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x
I can manually add the mask sudo setfacl -Rm m:rwX myapp/and the effective permissions will be as intended.
Access: (2770/drwxrws---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)
