AWStats: cannot access /var/log/apache2/access.log
I installed awstats on my new Ubuntu Lucid server, but when cron tries to run it as user www-data
, it complains that cannot access /var/log/apache2/access.log: Permission denied
.
In /usr/share/doc/awstats/README.Debian
there's this paragraph:
By default Apache stores (since version 1.3.22-1) logfiles with uid=root and gid=adm, so you need to either...
1) Change the rights of the logfiles in /etc/logrotate.d/apache so that www-data has at least read access.
2) As 1) but change to a specific user, and use the suEXEC feature of Apache to run as same user (and either change the right of /var/lib/awstats as well or use another directory). This is more complicated, but then the logs are not generally accessible to the server (which was probably the point of the Apache default).
3) Change awstats.pl to group adm (but beware that you are then taking the risk of allowing a CGI-script access to admin stuff on the machine!).
I'd go with 1, but what are the recommended permissions to grant?
Solution 1:
In most setups:
- awstats runs as your apache user www-data;
- the apache log files are owned by root:adm and have -rw-r----- (aka: chmod 640) permissions; and
-
the ownership and permissions settings can be found in the file /etc/logrotate.d/apache2, the contents of which is:
/var/log/apache2/*.log { daily missingok rotate 60 compress delaycompress notifempty dateext create 640 root adm sharedscripts postrotate /etc/init.d/apache2 reload > /dev/null endscript }
The simplest solution is to:
1) Change "create 640 root adm" to "create 644 root adm" in /etc/logrotate.d/apache2 using your favorite text editor or, if you must script everything:
sudo sed -i 's/create 640 root adm/create 644 root adm/g' /etc/logrotate.d/apache2
2) Change the permissions on /var/log/apache2/access.log and /var/log/apache2/error.log to 644.
sudo chmod 644 /var/log/apache2/access.log /var/log/apache2/error.log
3) Restart apache.
sudo apachectl -k graceful
I've seen people adding the www-data to the adm user group as a solution. That's a lot more permissions for www-data than I'm comfortable with.
Other more secure options involve creating a new user & groups for awstats and making awstats run/execute as this new user/group.
Solution 2:
If you go for point 1 and it says that www-data should have at least read permission then the recomended is grant only read.
You can alter the line (in logrotate file):
create 640 root adm
to
create 644 root adm
To give all users (www-data included) read permission.
You'll need to change permissions existent files in /var/log/apache2/ to match this setting
chmod a+r /var/log/apache2/* #or whatever your path is
Then all the files can be read by all users and all the files that logrotate create in the future will have the adecuate permissions