Join Log in
Score:0
samtech avatar Server

Httpd Directory read permissions only issue

us flag
samtech

In my scenario ,I need the 'httpd' directory in '/var/log/' to be readable by the users in 'devs' group (Amazon Linux 2) Could anyone guide me how to accomplish this?

We have a few developers who maintain the system and I want them to easily read the log files in /var/log/httpd without needing root access.

can this will help ??

chmod -R go+r /var/log/httpd

or chmod -R go+rX /var/log/httpd

or do i need to go with :

chmod 644 /var/log/httpd

chgrp -R apache /var/log/httpd
chmod 02750 /var/log/httpd
chmod 0640 /var/log/httpd/*
create 0640 root apache

ls

[root@ip-10-0-10-165 httpd]# ls -la
total 48
drwx------ 19 root   devs   4096 Apr  3 03:42 .
drwxr-xr-x 11 root   devs   4096 Apr  8 07:45 ..
-rw-r--r--  1 root   root      0 Feb 15 14:55 access_log
drwxr-xr-x  2 root   devs     41 Mar  1 20:44 u1-dev.qwerty.com
-rw-r--r--  1 root   root   1648 Apr  3 03:42 error_log
-rw-r--r--  1 root   root    883 Mar 13 03:41 error_log-20220313
drwxr-xr-x  2 root   devs     41 Mar  1 20:44 u4-dev.qwerty.com
drwxr-xr-x  2 root   root     41 Mar  1 20:44 langs.qwerty.com
drwxr-xr-x  2 root   devs     41 Mar  1 20:44 u8-dev3.qwerty.com
-rw-r--r--  1 root   root      0 Feb 15 14:55 ssl_access_log
-rw-r--r--  1 root   root    314 Apr  3 03:42 ssl_error_log
-rw-r--r--  1 root   root    157 Mar  6 03:50 ssl_error_log-20220313
-rw-r--r--  1 root   root      0 Feb 15 14:55 ssl_request_log
drwxr-xr-x  2 apache apache  253 Apr  3 03:42 www.qwerty.com
drwxr-xr-x  2 root   devs     41 Mar  1 20:44 u13-dev.qwerty.com
[root@ip-10-0-20-173 httpd]#

How to modifying those permission set? what is the best approach here ?

44
0 + 0
Score:1
KuchnMar avatar Server
ru flag
KuchnMar

You can use acl for this directory and grant permissions for devs group. For example:

setfacl -m g:devs:rx httpd/

You can set file access list for a directory. In your example you have httpd directory with permissions set for user/group root only.

# ls -la| grep httpd
drwx------   2 root     root        4096 Apr  8 10:11 httpd

You can check that this directory have no acl list:

getfacl httpd/
# file: httpd/
# owner: root
# group: root
user::rwx
group::---
other::---

We set permissions for the devs group with read and execute permissions:

setfacl -m g:devs:rx httpd/

After setting the permissions, it will look like this:

getfacl httpd/
# file: httpd/
# owner: root
# group: root
user::rwx
group::---
group:devs:r-x
mask::r-x
other::---

Note the extra sign (+) about any existing acl on the ls command.

# ls -la| grep httpd
drwxr-x---+  2 root     root        4096 Apr  8 10:11 httpd

It might be a good idea to repeat the setfacl command with the -b switch to set the default permissions. I usually do that.

-d, --default
           All operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL entries. Default ACL entries in the input set are discarded. (A warning  is  issued
           if that happens).

Regards

0 + 0
samtech avatar
us flag
samtech
just for better understanding , can you describe a bit with example ?
0
Reply
KuchnMar avatar
ru flag
KuchnMar
I expanded the answer above.
0
Reply
samtech avatar
us flag
samtech
KuchnMar , setfacl -m g:devs:rx /var/log/httpd , will grant my 'devs' group to provide the desire permission without root access right ? [root@ip-10-0-10-165 httpd]# getfacl /var/log/httpd getfacl: Removing leading '/' from absolute path names # file: var/log/httpd # owner: root # group: devs user::rwx group::--- other::--- "
0
Reply
Score:0
avatar Server
cm flag
Corey S.

According to how you tagged the question, you are using a Redhat-style environment. Assuming you are using the stock Apache httpd installation, you are probably, behind-the-scenes, dealing with logrotate. Out of the box, logrotate executes daily out of /etc/cron.daily. It will move your current log files out of the way, create new ones and restart httpd such that it will begin to use the newly created, empty log files.

Check /etc/logrotate.d/httpd. For example, the stock version shows:

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
    endscript
}

If you add a line like this within the curly brackets, logrotate will properly rotate and re-create your log files with the correct owner and group memberships:

    create 0640 root devs

This instructs logrotate to create the new log files with root as the owner, devs as the group, with permissions being owner read/write and group read.

You can then set your httpd log directory with permissions and ownerships like so:

chown root:devs /var/log/httpd
chmod 0750 /var/log/httpd

For the first day, you may also want to manually set the permissions on the log files and logrotate will pick up on the following days:

chown root:devs /var/log/httpd/*log
chmod 0640 /var/log/httpd/*log

You can get fancy with ACLs as demonstrated by @KuchnMar above, but this solution keeps things simple and compatible across various *nix and filesystem types.

This may be similar on a Debian-style host, but your logrotate configuration file may be called apache2 instead.

More information can be found here:

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.