Re: current_logfiles not following group access and instead follows log_file_mode permissions

On Fri, Jan 18, 2019 at 09:50:40AM -0500, Stephen Frost wrote:
> Yes, we should update the documentation in this regard, though it's
> really an independent thing as that documentation should have been
> updated in the original group-access patch, so I'll see about fixing
> it and back-patching it.

Stephen, could you apply Hari's patch then? I am not sure what the
consensus is, but documenting the restriction is the minimum we can
do.

- The default permissions are <literal>0600</literal>, meaning only the
- server owner can read or write the log files. The other commonly
- useful setting is <literal>0640</literal>, allowing members of the owner's
- group to read the files. Note however that to make use of such a
- setting, you'll need to alter <xref linkend="guc-log-directory"/> to
- store the files somewhere outside the cluster data directory. In
- any case, it's unwise to make the log files world-readable, since
- they might contain sensitive data.
+ The default permissions are either <literal>0600</literal>, meaning only the
+ server owner can read or write the log files or <literal>0640</literal>, that
+ allows any user in the same group can read the log files, based on the new
+ cluster created with <option>--allow-group-access</option> option of <command>initdb</command>
+ command. Note however that to make use of any setting other than default,
+ you'll need to alter <xref linkend="guc-log-directory"/> to store the files
+ somewhere outside the cluster data directory.

I would formulate that differently, by just adding an extra paragraph
to mention that using <literal>0640</literal> is recommended to be
compatible with initdb's --allow-group-access instead of sticking it
on the middle of the existing paragraph.
--
Michael