Permision denied on log file
Solution 1
The directory should be 750
, not 664
. Also, you should add the user to the adm
group. That's actually largely the point of the adm
group: reading logs.
Permissions on directories are a bit different than on files. To simplify a bunch, a directory is a list of names and addresses: the name is the filename, the address is the actual location of the file. The x
permission controls access to this list: in order to look up the address of a specific file, you need the execute bit on its parent directory, and on that directory's parent, etc. The r
permission then controls listing files: If you have --x
, you can access a file if you know its name, but you can't ls
. Lastly, w
controls creating, renaming, and deleting files. So, in order to access a file, you always need the x
bit.
Also: DON'T set the log files to 777. They should be 644 or 640, one of the two. Two reasons: one, they're not executable, so the x
bit should be off. Second, more importantly, normal users should never be writing to Apache log files, only reading. That's a potential security hole in the server.
Solution 2
You need to set the execute flag on directories to be allowed to list the files contained.
But the better solution is not to alter the file permissions, but to add the user to the admin group (adm)
Related videos on Youtube
Comments
-
Buksy over 1 year
I want to be able to view log files from apache as regular user. I have set this files to 777 as root but still cannot view them as regular user, why is that?
#I have set permissions for everyone root@senior:/var/log/apache2# ls -l total 200 -rwxrwxrwx 1 root root 1951 Feb 27 23:07 access.log -rwxrwxrwx 1 root root 89508 Feb 27 23:07 error.log -rwxrwxrwx 1 root root 101601 Feb 27 23:06 other_vhosts_access.log #I have also set directory permission root@senior:/var/log# ls -l drw-rw-r-- 2 root adm 4096 Feb 27 23:08 apache2
But still cannot view the files
kubi@senior:$ ls -l /var/log/apache2/ ls: cannot access /var/log/apache2/other_vhosts_access.log: Permission denied ls: cannot access /var/log/apache2/error.log: Permission denied ls: cannot access /var/log/apache2/access.log: Permission denied total 0 -????????? ? ? ? ? ? access.log -????????? ? ? ? ? ? error.log -????????? ? ? ? ? ? other_vhosts_access.log kubi@senior:/$ ls /var/log/apache2/error.log ls: cannot access /var/log/apache2/error.log: Permission denied
Im running debian
-
Buksy about 11 yearsThank you for explanation on
x
bit of directory. One more question, is it secure to add regular user toadm
group? I mean, what privileges will he gain except reading log files? Wouldn't he be able to run "sudo" commands (like apt-get, ...)? Isn't it more secure (and easier) to just alter log files permission? I want to be able just to read apache log files as that user. -
cpast about 11 years
adm
doesn't let you sudo; it's just logs. It all depends why they are reading logs: are they someone who should be able to read all logs (e.g. a sysadmin), or do you just want them to read Apache logs? Part of the reasonadm
is generally better is that it still restricts reading logs to specific users.