Score:0

Apache - Give Access to /var/log/ folder Only Outside the Document Root ? (Centos Based)

cn flag

My Web server is running on Apache and I have restricted the Apache user not to allow anything outside the Website Document Root, However, I need to write a log file (User Auth Log) which needs to be written into a folder of the "/var/log/app"

How do I achieve this task in Centos7? Should I use a symlink? if so Can that be secure enough? because this log file will contain very sensitive data about the users, so I don't want to give full entire access to Apache user(only write permission), AND I don't want to keep it in a folder that is in the Document Root as well?

What is the best solution for this type of scenario?

Score:0
bd flag

Create /var/log/app/.

Then modify the permissions so that the Apache user can only write to directory:

chown -R apache:apache /var/log/app/

chmod -R 330 /var/log/app/

With this configuration only root, apache and sudo privileged users can write to the folder.

And only root and sudo privileged users and read the logs.

This way, if the Apache service becomes compromised, the attacker will not be able to read the sensitive logs without performing some kind of privilege escalation attack.

Michael Hampton avatar
cz flag
You also need to set an appropriate SELinux context.
mahen3d avatar
cn flag
@MichaelHampton Yeah I tried this solution, i think the issue is the SELinux, do you have any solutions or reference how i can allow this in SELinux?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.