I have a simple LAMP stack on CentOS setup. Apache is setup with vhosts and each developer has their web files inside their user folder. The directory structure is like so (for the user test
):
/home/test
|_ apache
|_ domain1.com
|_ backups
|_ conf
|_ vhost.conf
|_ logs
|_ errors.log
|_ images.log
|_ web.log
|_ private
|_ public
The vhost config is in the vhost.conf file. The log files in logs don't exist when the config is first setup, and this throws an error with apache when I run service httpd restart
:
(13)Permission denied: httpd: could not open error log file /home/test/apache/domain1.com/logs/error.log.
Unable to open logs
I tried running httpd -X
as root and it created the log files (with root ownership/group). I thought it would be a case of making sure that the files are there, with group set as apache
and writeable (so I don't have to make the whole directory belong to apache
group and writeable), but this confuses me:
[root@dev logs]# ls -al
total 16
drwxr-xr-x. 2 test developers 4096 Apr 18 21:02 .
drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
-rw-r--r--. 1 test developers 1818 Apr 18 21:02 error.log
-rw-r--r--. 1 test developers 14 Apr 18 20:25 .gitignore
-rw-r--r--. 1 test developers 0 Apr 18 20:54 image.log
[root@dev logs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
[root@dev logs]# touch web.log
[root@dev logs]# chown test:developers web.log
[root@dev logs]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
I'm confused because apache runs as user apache
and shouldn't have write access on the logs, should it? In fact, I can even do this:
[root@dev logs]# rm -f ./*.log
[root@dev logs]# touch {error.log,image.log,web.log}
[root@dev logs]# ls -al
total 12
drwxr-xr-x. 2 test developers 4096 Apr 18 21:10 .
drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
-rw-r--r--. 1 root root 0 Apr 18 21:10 error.log
-rw-r--r--. 1 test developers 14 Apr 18 20:25 .gitignore
-rw-r--r--. 1 root root 0 Apr 18 21:10 image.log
-rw-r--r--. 1 root root 0 Apr 18 21:10 web.log
[root@dev logs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
I now have log files owned by root and it still starts up - and it writes to them too - if I tail web.log and browse to that page the logs start showing up.
I'm obviously not quite grasping something here, so what am I missing? I would prefer not to have to create the log files manually and allow apache to do that itself, but regardless, I'd just like to understand why this is happening - especially when I get round to allowing PHP to mess with files.
Update
As requested, here is what I see in audit.log
when I try start apache when the logfiles don't exist:
type=AVC msg=audit(1397906748.752:49390): avc: denied { write } for pid=19433 comm="httpd" name="logs" dev=md2 ino=7210204 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1397906748.752:49390): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bb740e598 a1=80441 a2=1b6 a3=752e6f632e74756f items=0 ppid=19432 pid=19433 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=128 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
When running with the logs existing nothing else is added to the log. The Permission denied: httpd: could not ...
error was from the general log.
You are creating single files using touch and then you change the file owner via chown. For Apache to create it's logfiles itself writing permissions to the containing directory are needed. Use
chown -R
(capital R = recursive) on the designated log directory.I had the same problem just now. @Tim Alexander pointed me in the right direction. Disabling selinux temporarily proved the problem to be with selinux configuration.
So after googling a bit more, I found a suggestion that basically said to make sure to replicate whatever selinux configuration is on /var/www/html on the virtual host directory.
First thing I did, was to reiterate a selinux issue on configuration files I had every now and then, which I blogged about here: http://blog.ciuly.com/my-server/apache-on-linux-could-not-open-configuration-file-permission-denied/
But that wasn't the problem. However, I went into /var/www and issues "ls -Z" which showed
so all I did now was to
and refreshing the browser now correctly showed the site index, but still had the "cannot open log file" error in error_log.
I then made a good read (again) through https://wiki.centos.org/HowTos/SELinux
A good idea to run, at this point, is
Although the wiki does say to grep the audit.log and pass tonly that to sealert, I find that I want to solve all selinux issues, not just the one that is bugging me now :)
Back to our problem at hand, the sealert shows following relevant alert:
sealater suggest doing the following
And that indeed solved the log problem.
So there you go, 3 selinux issues I keep getting every year or so when I set up a new site with apache on centos 5.x/6.x and I still need to google it. Every single time.
You have changed the ownership of the files to be read/executable by group, but not writable by group, and I believe therein lies your problem. You can probably chmod 664 the files to make them read and writeable by owner and group (and readable by anybody). They don't need to be executable.
i have the same issue vhost logs always owned by root with 640 permissions when created, a work round is to write a script to chmod or chown the permissions of the vhost log file name using a wild card on the end of the file name to capture the date format, on the end of the file then cron that script and set it once an hour or once a day, then your vhost loggs will havw the permissions you want