Why is syslog a user?
When I check the /var/log, I find something very strange
me@me:~$ ls -lt /var/log |head -6 '
total 160368
-rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
-rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
-rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
-rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
-rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log
Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:
me@me~$ users
me
Why could a filename syslog be a user?
users log
edited 41 mins ago
Zanna
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
When I check the /var/log, I find something very strange
me@me:~$ ls -lt /var/log |head -6 '
total 160368
-rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
-rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
-rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
-rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
-rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log
Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:
me@me~$ users
me
Why could a filename syslog be a user?
users log
edited 41 mins ago
Zanna
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
When I check the /var/log, I find something very strange
me@me:~$ ls -lt /var/log |head -6 '
total 160368
-rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
-rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
-rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
-rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
-rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log
Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:
me@me~$ users
me
Why could a filename syslog be a user?
users log
edited 41 mins ago
Zanna
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
When I check the /var/log, I find something very strange
me@me:~$ ls -lt /var/log |head -6 '
total 160368
-rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
-rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
-rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
-rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
-rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log
Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:
me@me~$ users
me
Why could a filename syslog be a user?
users log
users log
edited 41 mins ago
Zanna
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 41 mins ago
Zanna
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 41 mins ago
Zanna
50.4k13133241
edited 41 mins ago
Zanna
50.4k13133241
edited 41 mins ago
Zanna
50.4k13133241
50.4k13133241
asked 3 hours ago
AliceAlice
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
AliceAlice
635
asked 3 hours ago
AliceAlice
635
635
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It has to do with security and permissions on accessing your system.
And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".
Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.
Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.
The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.
answered 3 hours ago
RinzwindRinzwind
204k28389524
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
add a comment |
Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.
Read here for a brief of syslog history.
In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.
as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.
There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.
answered 2 hours ago
AtomiX84AtomiX84
61119
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Alice is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109859%2fwhy-is-syslog-a-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It has to do with security and permissions on accessing your system.
And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".
Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.
Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.
The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.
answered 3 hours ago
RinzwindRinzwind
204k28389524
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
add a comment |
It has to do with security and permissions on accessing your system.
And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".
Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.
Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.
The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.
answered 3 hours ago
RinzwindRinzwind
204k28389524
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
add a comment |
It has to do with security and permissions on accessing your system.
And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".
Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.
Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.
The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.
answered 3 hours ago
RinzwindRinzwind
204k28389524
It has to do with security and permissions on accessing your system.
And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".
Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.
Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.
The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.
answered 3 hours ago
RinzwindRinzwind
204k28389524
edited 2 hours ago
answered 3 hours ago
RinzwindRinzwind
204k28389524
answered 3 hours ago
RinzwindRinzwind
204k28389524
answered 3 hours ago
RinzwindRinzwind
204k28389524
204k28389524
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
add a comment |
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.
– kasperd
33 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.
– Rinzwind
27 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.
– kasperd
22 mins ago
add a comment |
Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.
Read here for a brief of syslog history.
In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.
as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.
There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.
answered 2 hours ago
AtomiX84AtomiX84
61119
add a comment |
Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.
Read here for a brief of syslog history.
In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.
as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.
There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.
answered 2 hours ago
AtomiX84AtomiX84
61119
add a comment |
Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.
Read here for a brief of syslog history.
In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.
as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.
There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.
answered 2 hours ago
AtomiX84AtomiX84
61119
Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.
Read here for a brief of syslog history.
In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.
as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.
There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.
answered 2 hours ago
AtomiX84AtomiX84
61119
answered 2 hours ago
AtomiX84AtomiX84
61119
answered 2 hours ago
AtomiX84AtomiX84
61119
answered 2 hours ago
AtomiX84AtomiX84
61119
61119
add a comment |
add a comment |
Alice is a new contributor. Be nice, and check out our Code of Conduct.
Alice is a new contributor. Be nice, and check out our Code of Conduct.
Alice is a new contributor. Be nice, and check out our Code of Conduct.
Alice is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109859%2fwhy-is-syslog-a-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e) {
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom)) {
StackExchange.using('gps', function() { StackExchange.gps.track('embedded_signup_form.view', { location: 'question_page' }); });
$window.unbind('scroll', onScroll);
}
};
$window.on('scroll', onScroll);
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
