Tell Apache to create error.log/access.log as different user
If you tell Apache to use CustomLog files, Apache2 will create these files on startup. And it always gives them to user root:root. How can I change this behavior?
Background
Apache runs with
SuexecUserGroup www-data www-data
and at the same time, I use a CustomLog that pipes it output to a script. The script removes two bytes from the IP and then wirtes to the logfile. As you cannot tell Apache to omit the IP from the error.log, this piped-output is important (regarding German privacy law).
The script cannot access my custom log if this does not belong to www-data.
If I change the owner, everthing works fine.
I also know how to change the file owner when logrotate renames and re-creates the logfile.
However, if I stop the Apache process, delete the logfiles, and then restart the Apache process, new files beloging to root:root are created.
How can I tell Apache to create the new, void files as/for www-data on startup?
Solution 1:
This sentence:
The script cannot access my custom log if this does not belong to www-data.
Is in direct contradiction with http://httpd.apache.org/docs/current/logs.html#piped:
Piped log processes are spawned by the parent Apache httpd process, and inherit the userid of that process. This means that piped log programs usually run as root. It is therefore very important to keep the programs simple and secure.
If the scenario you describe is somehow correct, you can still sidestep the issue by
- Ignoring the logfile name given in the config file
- Devising your own logfile name within the script
- Redirecting stdout to the file of your choosing as in (2)