edge-control: audit log silently never writes — file mode 0640 + group disinto-register denies the writer #1109

New issue

Closed

opened 2026-04-21 12:18:17 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-21 12:18:17 +00:00

Collaborator

Problem

Follow-up to #836. The audit log is wired up correctly in register.sh but the file permissions installed by install.sh make every write fail silently.

tools/edge-control/install.sh creates the log file as 0640 root:disinto-register:

touch "$LOG_FILE"
chmod 0640 "$LOG_FILE"
chown root:disinto-register "$LOG_FILE"

tools/edge-control/register.sh runs as the disinto-register user (forced SSH command). Mode 0640 grants that user's group only read — group write is denied. The append at register.sh:83-85 is wrapped in a non-fatal warning:

if ! printf '%s\n' "$line" >> "$AUDIT_LOG" 2>/dev/null; then
  echo "[WARN] audit log: failed to write to ${AUDIT_LOG}" >&2
fi

Result: every register/deregister silently fails to write. The [WARN] goes to stderr, which SSH clients typically discard for forced commands, so nobody notices. The audit-log feature is dark.

The logrotate config installed alongside (/etc/logrotate.d/disinto-edge) uses create 0640 root disinto-register, perpetuating the problem after every rotation.

Proposal

Pick one of:

Group-writable: change install.sh and the logrotate create line to 0660 root:disinto-register. Group can append; root still owns rotation. Simplest fix.
Owner-writable: change owner to disinto-register:disinto-register, keep 0640. Tighter perms but moves audit-log ownership to the same identity that writes it (slightly weaker integrity story).

Option 1 is the smaller change and matches the implicit threat model (root is trusted; the writer is the disinto-register user; we want both able to write/rotate).

Acceptance

After a fresh install, calling register and deregister over SSH produces lines in /var/log/disinto/edge-register.log.
After logrotate runs, the new file remains writable by disinto-register.
A test (bats or equivalent) asserts that an audit line appears for both operations.

Ported from Codeberg https://codeberg.org/johba/disinto/issues/838. Any #NNN references in the body above point to Codeberg issue numbers, not internal Forgejo numbers.

## Problem Follow-up to #836. The audit log is wired up correctly in `register.sh` but the file permissions installed by `install.sh` make every write fail silently. `tools/edge-control/install.sh` creates the log file as `0640 root:disinto-register`: ```bash touch "$LOG_FILE" chmod 0640 "$LOG_FILE" chown root:disinto-register "$LOG_FILE" ``` `tools/edge-control/register.sh` runs as the `disinto-register` user (forced SSH command). Mode `0640` grants that user's group only **read** — group write is denied. The append at `register.sh:83-85` is wrapped in a non-fatal warning: ```bash if ! printf '%s\n' "$line" >> "$AUDIT_LOG" 2>/dev/null; then echo "[WARN] audit log: failed to write to ${AUDIT_LOG}" >&2 fi ``` Result: every register/deregister silently fails to write. The `[WARN]` goes to stderr, which SSH clients typically discard for forced commands, so nobody notices. The audit-log feature is dark. The logrotate config installed alongside (`/etc/logrotate.d/disinto-edge`) uses `create 0640 root disinto-register`, perpetuating the problem after every rotation. ## Proposal Pick one of: 1. **Group-writable**: change `install.sh` and the logrotate `create` line to `0660 root:disinto-register`. Group can append; root still owns rotation. Simplest fix. 2. **Owner-writable**: change owner to `disinto-register:disinto-register`, keep `0640`. Tighter perms but moves audit-log ownership to the same identity that writes it (slightly weaker integrity story). Option 1 is the smaller change and matches the implicit threat model (root is trusted; the writer is the disinto-register user; we want both able to write/rotate). ## Acceptance - After a fresh install, calling `register` and `deregister` over SSH produces lines in `/var/log/disinto/edge-register.log`. - After logrotate runs, the new file remains writable by `disinto-register`. - A test (bats or equivalent) asserts that an audit line appears for both operations. --- _Ported from Codeberg [https://codeberg.org/johba/disinto/issues/838](https://codeberg.org/johba/disinto/issues/838). Any `#NNN` references in the body above point to **Codeberg** issue numbers, not internal Forgejo numbers._