From 88f3051d8a347d0a674a070449886b2ebdced2f7 Mon Sep 17 00:00:00 2001
From: Darren 'Tadgy' Austin <darren@afterdark.org.uk>
Date: Wed, 24 Jan 2024 17:21:52 +0000
Subject: [PATCH] Add log ACL fixing cronjob.

---
 cronjob-fix-log-acls | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100755 cronjob-fix-log-acls

diff --git a/cronjob-fix-log-acls b/cronjob-fix-log-acls
new file mode 100755
index 0000000..4313f92
--- /dev/null
+++ b/cronjob-fix-log-acls
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Sleep for up to a couple of minutes to prevent a race condition with other cron jobs.
+sleep $(( RANDOM % 120 ))
+
+# Secure /var/log
+shopt -s globstar
+GLOBIGNORE="/var/log/packages/:/var/log/setup/:/var/log/scripts/"
+#  Set standard access perms for directories
+setfacl -m user::rwx,group::rx,other::- /var/log/**/
+setfacl -m user::rwx,group::rx,other::x /var/log/
+#  Set standard access perms for files
+find /var/log -type f -exec setfacl -m user::rw,group::r,other::- {} +
+#  Allow group 'admin' read access to all directories/files
+setfacl -m group:admin:rX /var/log/**/
+find /var/log -type f -exec setfacl -m group:admin:r {} +
+#  Set default access for new files in directories.
+setfacl -dm user::rwX,group::rX,other::- /var/log/**/
+setfacl -dm group:admin:rX /var/log/**/
+#  /var/log/wtmp needs to be readable by everyone
+setfacl -m user::rw,group::r,other::r /var/log/wtmp
+unset GLOBIGNORE
+
+# To clear above ACL settings:
+#  setfacl -Rk /path
+#  setfacl -Rx group:admin: /path
+#  setfacl -Rx mask:: /path