How to give the Apache group write access to log files, and an FTP user read-only access
You need to give execute permission on the logs directory, otherwise the user cannot enter the directory.
chmod 754 logs/
Related videos on Youtube
ServerBloke
Updated on September 18, 2022Comments
-
ServerBloke almost 2 years
Ubuntu 11.10 server
I have a user
bob
who's home directory is/home/sites/bob
. In that there are directoriespublic_html
andlogs
.Apache runs under the
www-data
user.bob
's primary group iswww-data
. Apache updates theaccess.log
anderror.log
in thelogs
directory. The two log files are owned byroot:root
and have permission644
.The
bob
user logs in to an FTP server which works. The problem isbob
can delete or overwrite the two log files. I need Apache to be able to write to the logs, and forbob
to only have read access - no overwriting or deleting the logs. How can this be done?What I've tried:
cd /home/sites/bob chown www-data:www-data logs chmod 644 logs
I expected this to work because it should give Apache write access and the
www-data
group (i.e thebob
user) just read access. What actually happens is in the FTP sessionbob
can seelogs
in the directory list but he can't open it up, when he tries to change tologs
, the error is:Command: CWD logs
Response: 550 logs: No such file or directory
Error: Failed to retrieve directory listingSo my question is how can I give write access to Apache (
www-data
) tologs
but only read access (and no delete) tobob
? -
ServerBloke over 11 yearsout of interest, do you know why Apache creates the log files with ownership
root:root
? I expected it to create them aswww-data:www-data
? -
faker over 11 yearsYes, this is a security measure. It prevents certain attacks. E.g. requesting a non existing page in order to write evil code into the access/error log file, afterwards using a vulnerability in an installed application to include the logfile and execute the code. See also: httpd.apache.org/docs/2.2/logs.html
-
ServerBloke over 11 yearsThankyou. Finally can I just ask why do I need the execute permission on the owner and not the group? E.g. why
754
and not674
because the FTP user is the one that enters the directory and he gains permission through the group not the owner? -
faker over 11 years
754
gives execute permission to both the user and group. The user does not necessarily need it in your case (sincewww-data
user is part ofwww-data
group anyway) but in my opinion the permission is easier to read when also giving it to the user.