AWStats: cannot access /var/log/apache2/access.log

server permissions apache2 logging
24,421

Solution 1

If you go for point 1 and it says that www-data should have at least read permission then the recomended is grant only read.

You can alter the line (in logrotate file):

create 640 root adm

to 

create 644 root adm

To give all users (www-data included) read permission.

You'll need to change permissions existent files in /var/log/apache2/ to match this setting

chmod a+r /var/log/apache2/* #or whatever your path is

Then all the files can be read by all users and all the files that logrotate create in the future will have the adecuate permissions

Solution 2

In most setups:

  • awstats runs as your apache user www-data;
  • the apache log files are owned by root:adm and have -rw-r----- (aka: chmod 640) permissions; and

  • the ownership and permissions settings can be found in the file /etc/logrotate.d/apache2, the contents of which is:

    /var/log/apache2/*.log {
    daily
    missingok
    rotate 60
    compress
    delaycompress
    notifempty
    dateext
    create 640 root adm
    sharedscripts
    postrotate
            /etc/init.d/apache2 reload > /dev/null
    endscript }

The simplest solution is to:

1) Change "create 640 root adm" to "create 644 root adm" in /etc/logrotate.d/apache2 using your favorite text editor or, if you must script everything:

sudo sed -i 's/create 640 root adm/create 644 root adm/g' /etc/logrotate.d/apache2

2) Change the permissions on /var/log/apache2/access.log and /var/log/apache2/error.log to 644.

sudo chmod 644 /var/log/apache2/access.log /var/log/apache2/error.log

3) Restart apache.

sudo apachectl -k graceful

I've seen people adding the www-data to the adm user group as a solution. That's a lot more permissions for www-data than I'm comfortable with.

Other more secure options involve creating a new user & groups for awstats and making awstats run/execute as this new user/group.

Share:
24,421

Related videos on Youtube

Joril
Author by

Joril

Updated on September 17, 2022

Comments

  • Joril
    Joril over 1 year

    I installed awstats on my new Ubuntu Lucid server, but when cron tries to run it as user www-data, it complains that cannot access /var/log/apache2/access.log: Permission denied.

    In /usr/share/doc/awstats/README.Debian there's this paragraph:

    By default Apache stores (since version 1.3.22-1) logfiles with uid=root and gid=adm, so you need to either...

    1) Change the rights of the logfiles in /etc/logrotate.d/apache so that www-data has at least read access.

    2) As 1) but change to a specific user, and use the suEXEC feature of Apache to run as same user (and either change the right of /var/lib/awstats as well or use another directory). This is more complicated, but then the logs are not generally accessible to the server (which was probably the point of the Apache default).

    3) Change awstats.pl to group adm (but beware that you are then taking the risk of allowing a CGI-script access to admin stuff on the machine!).

    I'd go with 1, but what are the recommended permissions to grant?

    • theTuxRacer
      theTuxRacer over 13 years
      Try this, cant promise if it will work: chown www-data:www-data <yourFile> and then chmod 655 <yourFile>.
    • Joril
      Joril over 13 years
      Well to make awstats work it's enough to chmod 755 /var/log/apache2 and chmod 644 access.log, but I'd like a "this is the best pratice"-kind of answer :) Thanks for chiming in though!
    • belacqua
      belacqua about 13 years
      I think you're right to go with #1 (with just read access, unless there is something else awstats needs). This gives access to a limited user account, and doesn't grant new access to anything beyond that.
  • alfonx
    alfonx about 10 years
    And for "all users" to be able to look into "/var/log/apache2/" do aditionally: chmod a+x /var/log/apache2/
  • Reinier Post
    Reinier Post over 8 years
    Yet another solution would be to change the group of /var/log/apache2 and everything under it to www-data and make the files group-readable. This is slightly less permissive than making them world-readable.
  • Admin
    Admin about 2 years
    www-data should need to enter on the "/var/log/apache2" directory, but instead of adding permissions to all users I prefer to set the owner of the folder to www-date because root has always permissions. chown www-data /var/log/apache2

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

You don't have permission to access / on this server. error for html app on apache server
Permission forbidden on localhost with apache2
Asterisk and Freepbx on ubuntu 16.04
How do I copy files with SCP to /var/www?
Ubuntu Server 17.04 - 403 Forbidden
Apache 403 Forbidden Error
Reset default permissions for /var/www
MySQL not starting in Xampp
403 Forbidden clean apache2 install
Access forbidden 403 error in xampp