I've got a folder full of log files, and I'm using logrotate
to rotate them.
Until recently, I only had Apache log files in there - access.log and error.log. I've added a new log from a daemon, daemon.log. The daemon log is being written by a daemon running under the www-data
user.
When it runs, logrotate
creates a new log, with permissions of 640
, user root
and group adm
. Apache can write to the access and error logs with these permissions, but my daemon, running as www-data
, can't.
As I see it, there are a few options:
- Change the
logrotate
config to manually specify which log files are given which permissions. But this means if I add a new log file, I need to remember to configurelogrotate
to manage it. - Modify the
logrotate
script to somehow create an exception for the daemon.log file. Is that even possible? - Move the daemon log to a new folder, with a separate
logrotate
script to manage log files in that new folder. Simple enough, but I'd like to keep all my logs together if I can. - Set
logrotate
to create the files under a different user and group. Seems like this would risk missing log information. - Add the
www-data
user to theadm
group, and set permissions to660
. I don't like the idea of giving thewww-data
user access to other stuff unintentionally. - Set permissions on the log files to
666
. Seems like a crude solution.
None of those is ideal, and I'm pretty sure a couple are terrible. Is there another option, or is one of these my best bet? Am I missing something?
The standard answer is to make logrotate create the files with the ownership that the process will need in order to write to them. (I do not see why that would risk missing log information; perhaps you could elaborate on why you think this is a risk.)
You do that by adding the line
to the relevant bit of logrotate config. If you want to have the files with a particular permission, you add
instead.
Example: