Enabling secd Logging on DCE Client Hosts (410GR 17-Sep-2002)

By default, if a non-root user enables secd serviceability logging using the routing file, the log file created to contain the secd log messages on that system will not contain sufficient permissions required to let the non-root user write log messages to the file. In such cases, the logging messages could end up being displayed on the user's console screen.

This is an expected behavior on DCE client systems that do not run a security server or replica. On a machine that is running the security server or replica, the server or replica processes will already have the required permissions.

To allow a non-root user to write to the log file, you can follow the procedure below. These steps need to be performed by a root user. (Note: You may use a standard login policy for all non-root users, which would enable these steps at login.)

1. Login as root on the system that requires non-root users to be able to write security serviceability messages.

2. Open /opt/dcelocal/var/svc/routing on that system and locate the entry that enables sec logging. This could be in the form of: sec:*.9:FILE:/opt/dcelocal/var/svc/sec.log. In this example, the serviceability logging is being sent to /opt/dcelocal/var/svc/sec.log. Save the file and exit once the entry for sec logging is included in the routing file.

3. Check to see if /opt/dcelocal/var/svc/sec.log exists. If it does, check the current permissions on the file. It should contain 644 as the default permission allowing only root to be able to write to it. Others have read only access. If the file does not exist, create one by performing a touch command as shown below:
# touch /opt/dcelocal/var/svc/sec.log

4. Now change the permissions on the file to give non-root users write access. You can do that by assigning permission 622 on the file:
# chmod 622 /opt/dcelocal/var/svc/sec.log

Now non-root users will have write access to the file.