AWStats: cannot access /var/log/apache2/access.log
Solution 1
If you go for point 1 and it says that www-data should have at least read permission then the recomended is grant only read.
You can alter the line (in logrotate file):
create 640 root adm
to
create 644 root adm
To give all users (www-data included) read permission.
You'll need to change permissions existent files in /var/log/apache2/ to match this setting
chmod a+r /var/log/apache2/* #or whatever your path is
Then all the files can be read by all users and all the files that logrotate create in the future will have the adecuate permissions
Solution 2
In most setups:
- awstats runs as your apache user www-data;
- the apache log files are owned by root:adm and have -rw-r----- (aka: chmod 640) permissions; and
the ownership and permissions settings can be found in the file /etc/logrotate.d/apache2, the contents of which is:
/var/log/apache2/*.log { daily missingok rotate 60 compress delaycompress notifempty dateext create 640 root adm sharedscripts postrotate /etc/init.d/apache2 reload > /dev/null endscript }
The simplest solution is to:
1) Change "create 640 root adm" to "create 644 root adm" in /etc/logrotate.d/apache2 using your favorite text editor or, if you must script everything:
sudo sed -i 's/create 640 root adm/create 644 root adm/g' /etc/logrotate.d/apache2
2) Change the permissions on /var/log/apache2/access.log and /var/log/apache2/error.log to 644.
sudo chmod 644 /var/log/apache2/access.log /var/log/apache2/error.log
3) Restart apache.
sudo apachectl -k graceful
I've seen people adding the www-data to the adm user group as a solution. That's a lot more permissions for www-data than I'm comfortable with.
Other more secure options involve creating a new user & groups for awstats and making awstats run/execute as this new user/group.
Related videos on Youtube
Joril
Updated on September 17, 2022Comments
-
Joril over 1 year
I installed awstats on my new Ubuntu Lucid server, but when cron tries to run it as user
www-data
, it complains thatcannot access /var/log/apache2/access.log: Permission denied
.In
/usr/share/doc/awstats/README.Debian
there's this paragraph:By default Apache stores (since version 1.3.22-1) logfiles with uid=root and gid=adm, so you need to either...
1) Change the rights of the logfiles in /etc/logrotate.d/apache so that www-data has at least read access.
2) As 1) but change to a specific user, and use the suEXEC feature of Apache to run as same user (and either change the right of /var/lib/awstats as well or use another directory). This is more complicated, but then the logs are not generally accessible to the server (which was probably the point of the Apache default).
3) Change awstats.pl to group adm (but beware that you are then taking the risk of allowing a CGI-script access to admin stuff on the machine!).
I'd go with 1, but what are the recommended permissions to grant?
-
theTuxRacer over 13 yearsTry this, cant promise if it will work:
chown www-data:www-data <yourFile>
and thenchmod 655 <yourFile>
. -
Joril over 13 yearsWell to make awstats work it's enough to
chmod 755 /var/log/apache2
andchmod 644 access.log
, but I'd like a "this is the best pratice"-kind of answer :) Thanks for chiming in though! -
belacqua about 13 yearsI think you're right to go with #1 (with just read access, unless there is something else awstats needs). This gives access to a limited user account, and doesn't grant new access to anything beyond that.
-
-
alfonx about 10 yearsAnd for "all users" to be able to look into "/var/log/apache2/" do aditionally: chmod a+x /var/log/apache2/
-
Reinier Post over 8 yearsYet another solution would be to change the group of
/var/log/apache2
and everything under it towww-data
and make the files group-readable. This is slightly less permissive than making them world-readable. -
Admin about 2 yearswww-data should need to enter on the "/var/log/apache2" directory, but instead of adding permissions to all users I prefer to set the owner of the folder to www-date because root has always permissions.
chown www-data /var/log/apache2