We have Apache set to run as www user on a RedHat box, but it's logs are written w/root ownership as the process itself run as root. It seems the best course of running would be to 1) run rotatelogs as a non root user, and 2) to put the logs in a place set aside for the user w/proper permissions.
Can this be done? I don't see a method here:
There is no need to do anything in respect of file ownership. Red Hat ships their systems with sensible defaults. Millions of web servers run every day with their httpd logs owned by root. Best practice is to leave well alone in this instance.
By default the httpd logs on a RH system are rotated using logrotate. This is run daily as the root user so there is no issue with the ownership. You can adjust the way the logs are rotated by editing the logrotate configuration (/etc/logrotate.conf, /etc/logrotate.d/httpd).
If you are using piped logs as your link suggests, then you will need to configure your own cron job to run as root.
This is all normal stuff.
The exact way to invoke it will depend on local configuration (e.g.
apacheis disabled by default on RHEL 6) but you can usesudo,runuser, etc. like this:ErrorLog "|sudo -u apache rotatelogs -f /var/log/httpd/errors.%Y-%m-%d.log 86400"