How to give the Apache group write access to log files, and an FTP user read-only access

apache-2.2 ubuntu permissions ftp user-permissions
8,122

You need to give execute permission on the logs directory, otherwise the user cannot enter the directory. 

chmod 754 logs/
Share:
8,122

Related videos on Youtube

ServerBloke
Author by

ServerBloke

Updated on September 18, 2022

Comments

  • ServerBloke
    ServerBloke almost 2 years

    Ubuntu 11.10 server

    I have a user bob who's home directory is /home/sites/bob. In that there are directories public_html and logs.

    Apache runs under the www-data user. bob's primary group is www-data. Apache updates the access.log and error.log in the logs directory. The two log files are owned by root:root and have permission 644.

    The bob user logs in to an FTP server which works. The problem is bob can delete or overwrite the two log files. I need Apache to be able to write to the logs, and for bob to only have read access - no overwriting or deleting the logs. How can this be done?

    What I've tried:

    cd /home/sites/bob
chown www-data:www-data logs
chmod 644 logs

    I expected this to work because it should give Apache write access and the www-data group (i.e the bob user) just read access. What actually happens is in the FTP session bob can see logs in the directory list but he can't open it up, when he tries to change to logs, the error is:

    Command: CWD logs
    Response: 550 logs: No such file or directory
    Error: Failed to retrieve directory listing

    So my question is how can I give write access to Apache (www-data) to logs but only read access (and no delete) to bob?

  • ServerBloke
    ServerBloke over 11 years
    out of interest, do you know why Apache creates the log files with ownership root:root? I expected it to create them as www-data:www-data?
  • faker
    faker over 11 years
    Yes, this is a security measure. It prevents certain attacks. E.g. requesting a non existing page in order to write evil code into the access/error log file, afterwards using a vulnerability in an installed application to include the logfile and execute the code. See also: httpd.apache.org/docs/2.2/logs.html
  • ServerBloke
    ServerBloke over 11 years
    Thankyou. Finally can I just ask why do I need the execute permission on the owner and not the group? E.g. why 754 and not 674 because the FTP user is the one that enters the directory and he gains permission through the group not the owner?
  • faker
    faker over 11 years
    754 gives execute permission to both the user and group. The user does not necessarily need it in your case (since www-data user is part of www-data group anyway) but in my opinion the permission is easier to read when also giving it to the user.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

getting 553 - cannot create file in vsftpd (ubuntu 12.04)
Proftpd on Ubuntu - Create directory permission denied (550 ) after upgrade to 9.10
vsftpd: ECONNREFUSED with "allow_writeable_chroot=YES"
How do you give execute permissions to Apache2 user and NOT to everyone else?
How can I set the default permissions for files uploaded by apache2?
How to allow a vsftpd to write to a folder other than default `/files`?
Javascript 404 not found, but PHP and CSS loading
WSGI says "permissions denied" on my Ubuntu server, no WSGISocketPrefix setting works
rm: cannot remove `/var/run/httpd/httpd.pid': Permission deniedLED]
fopen: failed to open stream: Permission denied on directory with 755