I've got a folder full of log files, and I'm using logrotate to rotate them.

Until recently, I only had Apache log files in there - access.log and error.log. I've added a new log from a daemon, daemon.log. The daemon log is being written by a daemon running under the www-data user.

When it runs, logrotate creates a new log, with permissions of 640, user root and group adm. Apache can write to the access and error logs with these permissions, but my daemon, running as www-data, can't.

As I see it, there are a few options:

  1. Change the logrotate config to manually specify which log files are given which permissions. But this means if I add a new log file, I need to remember to configure logrotate to manage it.
  2. Modify the logrotate script to somehow create an exception for the daemon.log file. Is that even possible?
  3. Move the daemon log to a new folder, with a separate logrotate script to manage log files in that new folder. Simple enough, but I'd like to keep all my logs together if I can.
  4. Set logrotate to create the files under a different user and group. Seems like this would risk missing log information.
  5. Add the www-data user to the adm group, and set permissions to 660. I don't like the idea of giving the www-data user access to other stuff unintentionally.
  6. Set permissions on the log files to 666. Seems like a crude solution.

None of those is ideal, and I'm pretty sure a couple are terrible. Is there another option, or is one of these my best bet? Am I missing something?


The standard answer is to make logrotate create the files with the ownership that the process will need in order to write to them. (I do not see why that would risk missing log information; perhaps you could elaborate on why you think this is a risk.)

You do that by adding the line

create owner group

to the relevant bit of logrotate config. If you want to have the files with a particular permission, you add

create mode owner group

instead.

Example:

create 644 www-data www-data