Home / server / Questions / 515845
Accepted
BurninLeo
Asked: 2013-06-15 05:57:05 +0800 CST

Tell Apache to create error.log/access.log as different user

  • 772

If you tell Apache to use CustomLog files, Apache2 will create these files on startup. And it always gives them to user root:root. How can I change this behavior?

Background

Apache runs with

SuexecUserGroup www-data www-data

and at the same time, I use a CustomLog that pipes it output to a script. The script removes two bytes from the IP and then wirtes to the logfile. As you cannot tell Apache to omit the IP from the error.log, this piped-output is important (regarding German privacy law).

The script cannot access my custom log if this does not belong to www-data.

If I change the owner, everthing works fine.

I also know how to change the file owner when logrotate renames and re-creates the logfile.

However, if I stop the Apache process, delete the logfiles, and then restart the Apache process, new files beloging to root:root are created.

How can I tell Apache to create the new, void files as/for www-data on startup?

apache-2.2

2 Answers

  1. Best Answer

    This sentence:

    The script cannot access my custom log if this does not belong to www-data.

    Is in direct contradiction with http://httpd.apache.org/docs/current/logs.html#piped:

    Piped log processes are spawned by the parent Apache httpd process, and inherit the userid of that process. This means that piped log programs usually run as root. It is therefore very important to keep the programs simple and secure.

    If the scenario you describe is somehow correct, you can still sidestep the issue by

    1. Ignoring the logfile name given in the config file
    2. Devising your own logfile name within the script
    3. Redirecting stdout to the file of your choosing as in (2)
    • 1

  2. I ran into the same problem, yet being unable to change the script that writes the log, I could change the script that interpreted it.

    Setup:

    1. Apache starts and creates the log files as root:root instead of www-data:www-data. This is because of the situation mentioned in OPs question.
    2. I want to run an analysis script on the logfile as non-root user (www-data) but it can't read the file. I do this as a cron from roots crontab
    3. So before the analysis script runs I run (as root) the command chown www-data:www-data /var/log/apache2/*.log. This changes the ownership of the logfiles (but not the parent directory) to www-data as intended and the analysis script can then read the file.

    Not the nicest solution and definitely not what you would want on a busy server, but on a small installation its good enough.

    gpjod mentions that this might be a security problem. The Apache Documentation says that the directory for the logs should not be writable to others.

    This is true but most likely true for all situations that solve the OPs question and you might want to read the security tips in the linked documentation. As in this particular instance the ownership is changed from root to www-data as it is intended to be (see the original question) I see no additional thread arising from my solution.

    • 0