Apache - Give Access to /var/log/ folder Only Outside the Document Root ? (Centos Based)

mahen3d

12/3/22, 10:59 AM

My Web server is running on Apache and I have restricted the Apache user not to allow anything outside the Website Document Root, However, I need to write a log file (User Auth Log) which needs to be written into a folder of the "/var/log/app"

How do I achieve this task in Centos7? Should I use a symlink? if so Can that be secure enough? because this log file will contain very sensitive data about the users, so I don't want to give full entire access to Apache user(only write permission), AND I don't want to keep it in a folder that is in the Document Root as well?

What is the best solution for this type of scenario?

1 + 0

centos

apache-2.2

Score:0

Server

slightly_toasted

12/3/22, 6:39 PM

Create /var/log/app/.

Then modify the permissions so that the Apache user can only write to directory:

chown -R apache:apache /var/log/app/

chmod -R 330 /var/log/app/

With this configuration only root, apache and sudo privileged users can write to the folder.

And only root and sudo privileged users and read the logs.

This way, if the Apache service becomes compromised, the attacker will not be able to read the sensitive logs without performing some kind of privilege escalation attack.

0 + 2

Michael Hampton

12/3/22, 7:03 PM

You also need to set an appropriate SELinux context.

mahen3d

12/3/22, 10:38 PM

@MichaelHampton Yeah I tried this solution, i think the issue is the SELinux, do you have any solutions or reference how i can allow this in SELinux?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache - Give Access to /var/log/ folder Only Outside the Document Root ? (Centos Based)

TH: Apache - ให้สิทธิ์การเข้าถึงโฟลเดอร์ /var/log/ เฉพาะภายนอกรูทเอกสาร ? (ตาม Centos)

RO: Apache - Oferiți acces la folderul /var/log/ numai în afara rădăcinii documentului? (Bazat pe Centos)

RU: Apache - предоставить доступ к папке /var/log/ только за пределами корня документа? (на основе Centos)

VI: Apache - Chỉ cấp quyền truy cập vào thư mục /var/log/ bên ngoài thư mục gốc của tài liệu? (Dựa trên Centos)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.