AWStats: cannot access /var/log/apache2/access.log

server permissions apache2 logging

I installed awstats on my new Ubuntu Lucid server, but when cron tries to run it as user www-data, it complains that cannot access /var/log/apache2/access.log: Permission denied.

In /usr/share/doc/awstats/README.Debian there's this paragraph:

By default Apache stores (since version 1.3.22-1) logfiles with uid=root and gid=adm, so you need to either...

1) Change the rights of the logfiles in /etc/logrotate.d/apache so that www-data has at least read access.

2) As 1) but change to a specific user, and use the suEXEC feature of Apache to run as same user (and either change the right of /var/lib/awstats as well or use another directory). This is more complicated, but then the logs are not generally accessible to the server (which was probably the point of the Apache default).

3) Change awstats.pl to group adm (but beware that you are then taking the risk of allowing a CGI-script access to admin stuff on the machine!).

I'd go with 1, but what are the recommended permissions to grant?


Solution 1:

In most setups:

  • awstats runs as your apache user www-data;
  • the apache log files are owned by root:adm and have -rw-r----- (aka: chmod 640) permissions; and

  • the ownership and permissions settings can be found in the file /etc/logrotate.d/apache2, the contents of which is:

    /var/log/apache2/*.log {
    daily
    missingok
    rotate 60
    compress
    delaycompress
    notifempty
    dateext
    create 640 root adm
    sharedscripts
    postrotate
            /etc/init.d/apache2 reload > /dev/null
    endscript }

The simplest solution is to:

1) Change "create 640 root adm" to "create 644 root adm" in /etc/logrotate.d/apache2 using your favorite text editor or, if you must script everything:

sudo sed -i 's/create 640 root adm/create 644 root adm/g' /etc/logrotate.d/apache2

2) Change the permissions on /var/log/apache2/access.log and /var/log/apache2/error.log to 644.

sudo chmod 644 /var/log/apache2/access.log /var/log/apache2/error.log

3) Restart apache.

sudo apachectl -k graceful

I've seen people adding the www-data to the adm user group as a solution. That's a lot more permissions for www-data than I'm comfortable with.

Other more secure options involve creating a new user & groups for awstats and making awstats run/execute as this new user/group.

Solution 2:

If you go for point 1 and it says that www-data should have at least read permission then the recomended is grant only read.

You can alter the line (in logrotate file):

create 640 root adm

to 

create 644 root adm

To give all users (www-data included) read permission.

You'll need to change permissions existent files in /var/log/apache2/ to match this setting

chmod a+r /var/log/apache2/* #or whatever your path is

Then all the files can be read by all users and all the files that logrotate create in the future will have the adecuate permissions

Related

Show notifications with notify-send when application is full screen?
How to make Chrome/Chromium remember passwords in the gnome seahorse keyring?
Evince, mouse wheel does not change pages (page up/page down behaviour)
How do I start jobs as a non privileged user in Upstart?
Can I delete Applications-folder from desktop?
Will iOS upgrade require me to enter iCloud password?
How to mount USB Drive in Single User Mode in Mac OS X
CommCenter (from CoreTelephony.framework) is eating 600+ MB of my RAM, why do I even need it?
How many displays can I plug into MacBook Pro (13-inch, 2017, Two Thunderbolt 3 ports)
How to prevent a folder to sync to iCloud
Add circle animation to cursor when clicked [duplicate]
Connecting to Mac mini through xSession