We would like to be able to specify permissions of the log-files vmtoolsd generates

[msnellen]

Is your feature request related to a problem? Please describe.

We are trying to get our systems as compliant with CIS Hardening profiles as possible. The tool we are using is a Puppet module called cis_security_hardening which performs a recursive permission change on everything in /var/log to 640. Unfortunately, every time vmtoolsd has to log something (which happens every time Puppet runs as it needs info from vmtoolsd), the log action causes the permissions to reset to 600, which Puppet subsequently changes to 640 again. As a result, no Puppet run will ever end without making any changes.

Describe the solution you'd like

Make the file mode of the log-files configurable so we can set these to 640 and prevent this back-and-forth change.

Describe alternatives you've considered

No response

Additional context

No response

[pengzhencao]

We've set the log file permission to 600 here for security concern https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/lib/glibUtils/fileLogger.c#L331

For security hardening, mode 600 should be more secure than 640. If it is not convenient for you to change the puppet config, there is configuration for tools that you could change the log file to location other than /var/log refer to KB here: https://kb.vmware.com/s/article/1007873

We will also evaluate if we could make this log file mode a configurable parameter in tools.conf. However there is no guarantee we will do this change soon as it is changing existing behavior and may have impact to other customers.

[pengzhencao]

After evaluation, we think 600 is normal practice for log files may contain sensitive data. So we will not change the 600 file permission setting for log files