My name is Jay. I am an American living in Australia where I develop software and manage servers.
Like every good computer user, I log into my laptop every day as a non-administrator. Using OS X, it’s quite easy to still run installers and escalate to admin rights on a per-use basis. This means that if some nefarious process wants to go on a deleting spree, it will at least be quarantined to my user folder.
Like every good system administrator, I like to see what’s going on in system.log at any one time. I even use GeekTool to subtly, transparently overlay it on my desktop:
Only one problem, only Administrators can view system.log.
No problem! Easy fix. Add an ACL to allow the necessary user to have read access to it:
chmod +a 'jay allow read' /var/log/system.log
Well, there’s actually another problem. When the logs get rotated, you lose your ACL. So, I wrote this little shell script:
#!/bin/bash
PRIVILEGE='jay allow read'
LOG=/var/log/system.log
ACCESS=`ls -ale $LOG | grep "$PRIVILEGE"`
GEEKTOOL=GeekTool
if [ ! "$ACCESS" ]
then
echo "Access currendly denied."
echo -n "Updating..."
chmod +a "$PRIVILEGE" $LOG
echo "Done"
sleep 1
echo "Killing GeekTool"
killall GeekTool
sleep 1
echo "Opening GeekTool"
sudo -u jay open -a $GEEKTOOL
fi
exit 0
The scripts starts by checking if the user already have privileges. If they don’t, it updates the privileges, and restarts GeekTool. Now, don’t test this under your underprivileged user account, because naturally you won’t have the rights to chmod system.log. However, I still liked storing it in my user’s home folder for compartmentalization. In my specific case, I stored it here:
/Users/jay/Library/Scripts/Applications/Finder/Enable System Log Access.bash
Lastly, I created a launchd job to make this script run quite regularly to ensure system.log is viewable on my desktop:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>net.thepracticeofcode.syslog</string>
<key>Program</key>
<string>/Users/jay/Library/Scripts/Applications/Finder/Enable System Log Access.bash</string>
<key>StartInterval</key>
<integer>30</integer>
</dict>
</plist>
This file needs to get stored in the /Library/LaunchDaemons folder at the root of your hard drive and owned by root:wheel. Name it whatever you’d like, but make sure the Label property matches the name (sans the .plist). Also, make sure the path to the script is valid. You don’t need to escape it.
You might notice I have set Disabled set to true. This is my default for all launchd.plists so that they have to manually loaded for use on any new computer. To do that:
launchctl load -w /Library/LaunchDaemons/net.thepracticeofcode.syslog.plist
Hopefully this will be of use to someone.
