Subject: syslog && LOG_AUTHPRIV
To: None <>
From: Luke Mewburn <>
List: current-users
Date: 10/18/1994 15:00:24
The current version of syslogd (from 4.4BSD-lite?) has a facility
level `authpriv' - which is supposed to be like auth.* but only log to
a secure file (i.e, one that has perms of 600).

Unfortunately, the current syslog.conf doesn't support the use of
this, which means you often get messages in /var/log/messages like:
	4 login failures from
	4 login failures from, ner

The latter message shouldn't appear in a world readable file...

The solution is to change syslog.conf so that it looks something like:

*.err;kern.debug;auth.notice;authpriv.none	/dev/console
*.notice;kern.debug;lpr,;authpriv.none	/var/log/messages					/var/log/secure					/var/log/maillog					/var/log/lpd-errs					/var/cron/log
*.notice;auth.debug				root
*.emerg						*

(So that *.notice for /var/log/messages explicitly ignores any
authpriv stuff, and authpriv stuff goes to /var/log/secure, which has
permissions like 600...)

If you do this, don't forget to change /etc/newsyslog.conf so that
/var/log/secure gets rotated similar to /var/log/messages, but of
course, the backup files get perms of 600...

PS: files like wtmp, messages, and maillog should get a default
install permission of 600 not 664... Maybe the mtree stuff in
/usr/src/etc needs hacking for this too...

Luke Mewburn, <>
`Think of it as Evolution in Action.' - "Oath of Fealty", Niven & Pournelle