Administration and Deployment

Log permissions are based on the umask setting. If you default umask is too limited you can updated the servers' associated _usermods.sh file to change the umask. This is described in the SAS Note below.

Usage Note 38040: Setting umask and ulimit values for SAS® sessions on UNIX and Linux

You could also modify the logconfig.xml file being used by the server and specify the permissions in the appender definition (see FilePermissions parameter).

SAS Logging Facility: FileAppender

Thanks for the reply. Is there any way to provide the read permission to only one user which is belong to "OTHERS". He is not a member of any group.

I tried ACL but its now getfacl command is not working in AIX server. Please advise?

The commands in AIX are aclget, aclput and acledit.

I would create a template file, use acledit to set the access control list for this file once, and then use

aclget template|aclput <logfile>

in your code to transfer the ACL to your logfile.

@Kurt_Bremser Thanks, these commands are working in AIX.

Could you please share the small example how can we use to provide read access to one user(OTHERS) on the following logs?

/usr/opt/SAS/SAS94/Lev1/ObjectSpawner/
/usr/opt/SAS/SAS94//Lev1/SASApp/OLAPServer/

As described in the acledit documentation, you set the extended permissions to enabled and then add a stanza

permit r-x u:username

(x must be set on directories, so the user in question can cd there; don't set it on files)

Thanks @Kurt_Bremser 

We have thousand of logs in these dir its very time consuming process to provide the read access to all these logs file.

I have tested one file and its working fine. Can we automate this task by writing any script? please advise.

I'd be inclined to set the setuid bit (+s) for that person in the ACL for the parent directory. That way, their permissions will be applied to any files created in the directory.

@Nigel_Pain Thanks for the reply.

Can you please share the example to implement on AIX? Thanks 

Apologies, @japsas100, I don't know AIX. And I'm trawling the back of my memory here, as I haven't worked with a UNIX system for quite a while. But in the permissions set, as well as the RWX flags there's also the setuid/setgid ones, which can be applied to user or group permissions with "+s". Once it's applied it appears as an "s" instead of the "x". 

Doing some real memory dredging, I think with the setfacl command for Solaris, you can also have default entries in ACLs, and I think they set the ACLs for any directory contents which are created. So you might get an equivalent with AIX. But I'll have to defer to other more knowledgeable, and more recently experienced folk to confirm what I'm saying, or not.

@Kurt_Bremser can you help here? 

First, look at the permission of a log file as it is written now. I think it should be world-readable (-rw-r--r--). If that is the case, any blocking of "unwanted" readers happens on the directory. If you implement the ACL there and enable that special user (permit r-x u:username), you should be good.

acledit works by running aclget, edit the result with vi, and the using aclput to set the ACL from the edited file. So you need a little basic knowledge of the vi editor.

Thanks @Kurt_Bremser 

As per business requirement, we can't provide the world-readable (-rw-r--r--) to all the logs. We use AIX acledit command to create a template at folder lever. 

for example 

Step 1) export EDITOR=/usr/bin/vi

Step 2) change the extended permissons as needed on Logs Dir (permit r-- u:tmpsas

Step 3) set the ACL recursive

aclget Logs | aclput -R Logs

With these steps we will provide the required read access to tmpsas user but how I can provide the same access to new files?

I can see new files are creating with default permission but I want to provide the same level access to new files as well. Do I need to create the shell script that will run on daily basis and provide the required access or is there any other simplest way?

Using NFS4 access control lists allows you to specify inheritance, but I am not familiar with those.

Do a google search for "aix nfs4 acl" to find out more.

You can make the files themselves world-readable (which is the case when using the default umask of 022), and control access by setting the ACL of the directory.

Edit: changed umask value to 022 (from 002)