Apache Httpd: Logging Access for Non-privileged Users

I’m wondering if it is common for Apache HTTPD admins to allow read access or read access to copies of /var/log/httpd/${vhost}_error_log?

I administer an Apache web server for a University CS department. At times we get tickets in frustration that the vhost owner can’t determine what the solution to an error is because they have no access to said log files—as these log files are owned by root:root.

What do admins in this situation do for log access/dissemination? As it stands, I typically provide a snippet of the logs to the vhost owner to troubleshoot, but this, as you can imagine, leads to frustration by the vhost owner as we don’t always have the ability to respond in a timely manner.

Are there internal mechanisms or 3rd party apps that provide a fine grained access solution to my problem? Guidance much appreciated.

There is no good reason IMHO to store the logs in a location that the webmaster cannot access. Since it looks like you already create specific logs for each VirtualHost, adjust where you store them to a location that allows a webmaster to access their own raw log files. Those logs can still be owned by root, but as long as their file system permissions are good, they can be read by the webmasters they can download them when necessary.

In the past (when every site owner still used FTP to upload content and chrooting that was easy) we had a separate logs directory next to the document_root and cgi-bin.

Is it common to restrict access to /var/log/.... ?

Yes

Is it common to allow the owners of websites visibility of their logs?

Yes

Your issue is how to configure this so that Apache can write the logs, users can read their own logs, but not read the logs of other users. That's quite easy using standard permissions.

With a default package setup your httpd must run as root (in order to listen on ports 80 and 443) meaning it can read and write everything (at least the master process can - worker processes setuid to a non-privileged user). But even if it already runs as a non-privileged user this can be resolved using standard filesystem permissions.

Do make sure that the location you choose for the logs is outside the document root otherwise the logs will become an exploitable asset for any attacker.

Also bear in mind that you need to retain or implement log rotation for all these files.

Setting this up from scratch, I would go with....

drwxrwx--- ${USER}:adm /var/www/${USER}/logs/
drwxrwx--- ${USER}:adm /var/www/${USER}/html/  (document root)
drwxrwx--- ${USER}:${USER} /var/www/${USER}/data/  (because its good practice to provide space outside the document root for the users too)

If they insist on running self-modifying code (and you want to let them)....

drwxrwx--- ${USER}:${WEBUID} /var/www/${USER}/html/

(but note that this gives the means for users to not only read others files but also modify them).

It might be simpler from your perspective just to give them each a container and run a load balancer on the hypervisor.

administer an Apache web server for a University CS department.

...so you knew all this already?