Tell Apache to create error.log/access.log as different user
This sentence:
The script cannot access my custom log if this does not belong to www-data.
Is in direct contradiction with http://httpd.apache.org/docs/current/logs.html#piped:
Piped log processes are spawned by the parent Apache httpd process, and inherit the userid of that process. This means that piped log programs usually run as root. It is therefore very important to keep the programs simple and secure.
If the scenario you describe is somehow correct, you can still sidestep the issue by
- Ignoring the logfile name given in the config file
- Devising your own logfile name within the script
- Redirecting stdout to the file of your choosing as in (2)
Related videos on Youtube
BurninLeo
Updated on September 18, 2022Comments
-
BurninLeo over 1 year
If you tell Apache to use CustomLog files, Apache2 will create these files on startup. And it always gives them to user root:root. How can I change this behavior?
Background
Apache runs with
SuexecUserGroup www-data www-data
and at the same time, I use a CustomLog that pipes it output to a script. The script removes two bytes from the IP and then wirtes to the logfile. As you cannot tell Apache to omit the IP from the error.log, this piped-output is important (regarding German privacy law).
The script cannot access my custom log if this does not belong to www-data.
If I change the owner, everthing works fine.
I also know how to change the file owner when logrotate renames and re-creates the logfile.
However, if I stop the Apache process, delete the logfiles, and then restart the Apache process, new files beloging to root:root are created.
How can I tell Apache to create the new, void files as/for www-data on startup?
-
BurninLeo almost 11 yearsHmm - good point. Thanks for this advice! It seems the problem was due to the fact that the logging-script belonged to the wrong user! After giving it to root as well, everything works :)
-
SoumitaP over 6 yearsThis might be a security risk. From the Apache documentation: "Anyone who can write to the directory where Apache httpd is writing a log file can almost certainly gain access to the uid that the server is started as, which is normally root. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see the security tips document for details."
-
Angelo Fuchs over 6 years@gpojd my command does not change the directory of the path but changes the files themselves.
-
James Jones over 4 years@gpojd - Correct that this creates a security issue and definitely worth mentioning. However I think it'd be a suitable solution in the scenario of a local development machine.
-
Angelo Fuchs over 4 years@JamesJones I think the situation is more complex. The security risk is in the basic approach that is designed to exist by apache itself (see the OPs standard attempts to set the rights of the file). So if it is a security problem it is inherent to all solutions and the comment should go to the question. - None the less, I incorporated gpojds comment and my situational analysis of it into the answer.