Re: current_logfiles not following group access and instead followslog_file_mode permissions - Mailing list pgsql-hackers

On Fri, Jan 18, 2019 at 09:50:40AM -0500, Stephen Frost wrote:
> Yes, we should update the documentation in this regard, though it's
> really an independent thing as that documentation should have been
> updated in the original group-access patch, so I'll see about fixing
> it and back-patching it.

Stephen, could you apply Hari's patch then?  I am not sure what the
consensus is, but documenting the restriction is the minimum we can
do.

-    The default permissions are <literal>0600</literal>, meaning only the
-    server owner can read or write the log files.  The other commonly
-    useful setting is <literal>0640</literal>, allowing members of the owner's
-    group to read the files.  Note however that to make use of such a
-    setting, you'll need to alter <xref linkend="guc-log-directory"/> to
-    store the files somewhere outside the cluster data directory.  In
-    any case, it's unwise to make the log files world-readable, since
-    they might contain sensitive data.
+    The default permissions are either <literal>0600</literal>, meaning only the
+    server owner can read or write the log files or <literal>0640</literal>, that
+    allows any user in the same group can read the log files, based on the new
+    cluster created with <option>--allow-group-access</option> option of <command>initdb</command>
+    command. Note however that to make use of any setting other than default,
+    you'll need to alter <xref linkend="guc-log-directory"/> to store the files
+    somewhere outside the cluster data directory.

I would formulate that differently, by just adding an extra paragraph
to mention that using <literal>0640</literal> is recommended to be
compatible with initdb's --allow-group-access instead of sticking it
on the middle of the existing paragraph.