Why is syslog a user?












3















When I check the /var/log, I find something very strange



me@me:~$ ls -lt /var/log |head -6 '
total 160368
-rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
-rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
-rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
-rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
-rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log


Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:



me@me~$ users
me


Why could a filename syslog be a user?










share|improve this question









New contributor




Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    3















    When I check the /var/log, I find something very strange



    me@me:~$ ls -lt /var/log |head -6 '
    total 160368
    -rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
    -rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
    -rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
    -rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
    -rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log


    Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:



    me@me~$ users
    me


    Why could a filename syslog be a user?










    share|improve this question









    New contributor




    Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      3












      3








      3








      When I check the /var/log, I find something very strange



      me@me:~$ ls -lt /var/log |head -6 '
      total 160368
      -rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
      -rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
      -rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
      -rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
      -rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log


      Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:



      me@me~$ users
      me


      Why could a filename syslog be a user?










      share|improve this question









      New contributor




      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      When I check the /var/log, I find something very strange



      me@me:~$ ls -lt /var/log |head -6 '
      total 160368
      -rw-r----- 1 syslog adm 19919118 Jan 15 16:55 auth.log
      -rw-r----- 1 syslog adm 139702302 Jan 15 16:55 syslog
      -rw-r----- 1 syslog adm 191122 Jan 15 16:55 mail.log
      -rw-r----- 1 syslog adm 2210432 Jan 15 16:32 kern.log
      -rw-r--r-- 1 root root 1741863 Jan 15 14:22 dpkg.log


      Notice that the owner of the first four log file is syslog. It's weird, because there is only one user on my system:



      me@me~$ users
      me


      Why could a filename syslog be a user?







      users log






      share|improve this question









      New contributor




      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 41 mins ago









      Zanna

      50.4k13133241




      50.4k13133241






      New contributor




      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 hours ago









      AliceAlice

      635




      635




      New contributor




      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Alice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          2 Answers
          2






          active

          oldest

          votes


















          6














          It has to do with security and permissions on accessing your system.



          And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".



          Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.



          Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.



          The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.






          share|improve this answer


























          • That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

            – kasperd
            33 mins ago











          • I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

            – Rinzwind
            27 mins ago











          • Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

            – kasperd
            22 mins ago



















          4














          Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.



          Read here for a brief of syslog history.



          In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.



          as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.



          There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            Alice is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109859%2fwhy-is-syslog-a-user%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            6














            It has to do with security and permissions on accessing your system.



            And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".



            Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.



            Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.



            The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.






            share|improve this answer


























            • That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

              – kasperd
              33 mins ago











            • I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

              – Rinzwind
              27 mins ago











            • Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

              – kasperd
              22 mins ago
















            6














            It has to do with security and permissions on accessing your system.



            And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".



            Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.



            Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.



            The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.






            share|improve this answer


























            • That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

              – kasperd
              33 mins ago











            • I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

              – Rinzwind
              27 mins ago











            • Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

              – kasperd
              22 mins ago














            6












            6








            6







            It has to do with security and permissions on accessing your system.



            And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".



            Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.



            Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.



            The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.






            share|improve this answer















            It has to do with security and permissions on accessing your system.



            And no you have A LOT MORE users then just your own user. There is "root", "daemon","bin", "games", "nobody", "list".



            Do a more /etc/passwd for a list of users on your system. You will see lots of lines with "/usr/sbin/nologin" That means those can not be used as a normal user with a login like your own user can. The 3rd column is the user ID. All user IDs below 1000 are pseudo users. Your 1st sudo user (the one that installed the system) has 1000 by default.



            Basically user syslog is allowed to use the /var/log/ directory that is set as a directory owned by root. To not have to compromise permissions on the directory (ie. lower the permissions so other users can use it) this user was created.



            The same is done with the user for apache and mysql (you will see a www-data user and group and a mysql user and group when you install these) but it is used for loads of things. There is a group "dialout" that is used to access devices to externals. Users get added to this group to allow the user to use these devices. Otherwise you will get a permission denied. Works 2 ways: denying a user access means removing the group.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 hours ago

























            answered 3 hours ago









            RinzwindRinzwind

            204k28389524




            204k28389524













            • That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

              – kasperd
              33 mins ago











            • I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

              – Rinzwind
              27 mins ago











            • Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

              – kasperd
              22 mins ago



















            • That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

              – kasperd
              33 mins ago











            • I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

              – Rinzwind
              27 mins ago











            • Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

              – kasperd
              22 mins ago

















            That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

            – kasperd
            33 mins ago





            That number hasn't always been 1000 though. I have worked on systems which had a long enough history that IDs of real users started from 20.

            – kasperd
            33 mins ago













            I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

            – Rinzwind
            27 mins ago





            I know but Ubuntu always starts at 1000. Redhat for instance starts at 500.

            – Rinzwind
            27 mins ago













            Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

            – kasperd
            22 mins ago





            Yes, but the users are not necessarily created locally. In my case they were received over NIS, these days it would probably have been LDAP.

            – kasperd
            22 mins ago













            4














            Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.



            Read here for a brief of syslog history.



            In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.



            as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.



            There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.






            share|improve this answer




























              4














              Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.



              Read here for a brief of syslog history.



              In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.



              as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.



              There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.






              share|improve this answer


























                4












                4








                4







                Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.



                Read here for a brief of syslog history.



                In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.



                as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.



                There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.






                share|improve this answer













                Because syslog it is not a file, it is a daemon used by the system to store system daemon and application messages (debug,error,warn,info) to files.



                Read here for a brief of syslog history.



                In other distribution like the RedHat based, the syslog output for the system is stored in to file called messages it depends on configuration.



                as per @Rinzwind says, for security reason different components in the Operating System, run with a specific user, and each user get is own rights, for example syslog at least have the write rights on /var/log folder.



                There have a lot user to run a lot service, apache get www-data|httpd|apache normally this daemon user do not get bash access to avoid security leack.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 hours ago









                AtomiX84AtomiX84

                61119




                61119






















                    Alice is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    Alice is a new contributor. Be nice, and check out our Code of Conduct.













                    Alice is a new contributor. Be nice, and check out our Code of Conduct.












                    Alice is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109859%2fwhy-is-syslog-a-user%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Magento 2 controller redirect on button click in phtml file

                    Polycentropodidae