apache logs files can't be opened?

benrose111488 · 06-25-2007, 03:46 PM

from /etc/httpd/conf/httpd.conf:

(I changed the email address so I don't get spammed, but you get the picture of what I'm doing here).

<VirtualHost bsa97.org:80>
ServerAdmin brose AT bsa97 DOT org
DocumentRoot /home/bsa97.org/public_html
ServerName www.bsa97.org
ErrorLog /home/bsa97.org/logs/bsa97_error_log
CustomLog /home/bsa97.org/logs/bsa97_access_log common
</VirtualHost>

from /etc/httpd/logs/error_log:

(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs

from ll /home/bsa97.org/logs/:

total 8
-rw-r--r-- 1 root root 0 2007-06-25 16:26 access_log
-rw-r--r-- 1 root root 0 2007-06-25 16:26 error_log

from ll /etc/httpd/logs/

total 388
-rw-r--r-- 1 root root 265514 2007-06-25 15:51 access_log
-rw-r--r-- 1 root root 0 2007-06-24 00:54 eaccelerator_log
-rw-r--r-- 1 root root 73618 2007-06-25 16:41 error_log
-rw-r----- 1 root root 6673 2007-06-25 15:50 modsec_audit.log
-rw-r----- 1 root root 0 2007-06-23 16:42 modsec_debug.log
-rw-r--r-- 1 root root 0 2007-06-23 16:42 ssl_access_log
-rw-r--r-- 1 root root 5214 2007-06-25 16:18 ssl_error_log
-rw-r--r-- 1 root root 0 2007-06-23 16:42 ssl_request_log

Can't figure it out. Any ideas?

cyberfishee · 06-25-2007, 04:33 PM

Quote:

(13)Permission denied: httpd: could not open error log file

apache needs to have write access to /home/bsa97.org/logs in order to create the log file

check the permission of the folder

Code:

ls -l /home/bsa97.org | grep logs

either change the owner of this folder to the user apache is run as (depends on your distro)

or, if security is not a big concern, change the logs folder to be writable by everyone

Code:

chmod -R a+w /home/bsa97.org/logs

benrose111488 · 06-25-2007, 04:37 PM

[root@WhiteFire httpd]# chmod -R 777 /home/bsa97.org/
[root@WhiteFire httpd]# ll /home/bsa97.org/
total 16
drwxrwxrwx 2 root root 4096 2007-06-25 16:04 logs
drwxrwxrwx 2 root root 4096 2007-06-25 16:17 public_html
[root@WhiteFire httpd]# ll /home/bsa97.org/logs/
total 8
-rwxrwxrwx 1 root root 0 2007-06-25 16:26 access_log
-rwxrwxrwx 1 root root 0 2007-06-25 16:26 error_log
[root@WhiteFire httpd]# service httpd start
Starting httpd: [FAILED]
[root@WhiteFire httpd]#

failed for the same reason:

[root@WhiteFire httpd]# tail /etc/httpd/logs/error_log
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
[root@WhiteFire httpd]#

nx5000 · 06-25-2007, 04:41 PM

The apache is initially started by root.
It needs to be root to open port 80 which is lower than 1024. Only priviledge user are allowed to open these priviledge ports (to not disrupt existing services and also for remote host to check few things).
For security reasons, the rule of "least priviledge" is used: apache doesn't need anymore root priviledge, it's far too powerful. So it changes its User Id to "apache" (example).

You can check with ps which user id is used by apache.

If the logs are opened after the change of uid then the logs and the directory of the logs have to be writtable by user "apache".
Probably
chown -R apache:apache /home/bsa97.org/logs
chmod go-rwx /home/bsa97.org/logs

These 777 are far too dangerous!

nx5000 · 06-25-2007, 04:45 PM

I had made a mistake in the previous post.

benrose111488 · 06-25-2007, 04:55 PM

[root@WhiteFire httpd]# chown -R apache:apache /home/bsa97.org/logs
[root@WhiteFire httpd]# chmod go-rwx /home/bsa97.org/logs
[root@WhiteFire httpd]# service httpd start
Starting httpd: [FAILED]
[root@WhiteFire httpd]# tail /etc/httpd/logs/error_log
(13)Permission denied: httpd: could not open error log file /home/bsa97.org/logs/bsa97_error_log.
Unable to open logs
[root@WhiteFire httpd]#

nx5000 · 06-25-2007, 05:19 PM

I don't know which distro puts logs in /etc but I'm happy I'm not using it. complete nonsense.

Also did you check the output of ps as I said?
Please try to add at least one human word in your post, thank you.

Check the mount options of the partition
mount

Also this:
ls -la /home/bsa97.org/logs/

benrose111488 · 06-25-2007, 05:26 PM

sorry about the lack of human words. Just trying to be as efficient as possible.

I'm using Fedora 7 on the server, /etc/httpd/logs is actually a symlink to /var/log/httpd

Here's the ps output:

Code:

[root@WhiteFire ~]# ps -A | grep httpd
 3577 ?        00:00:01 httpd
 3579 ?        00:00:00 httpd
 3580 ?        00:00:00 httpd
 3581 ?        00:00:00 httpd
 3582 ?        00:00:00 httpd
 3583 ?        00:00:00 httpd
 3584 ?        00:00:00 httpd
 3585 ?        00:00:00 httpd
 3586 ?        00:00:00 httpd
 3587 ?        00:00:00 httpd

and here's mount:

Code:

[root@WhiteFire ~]# mount
/dev/md0 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

ls -la output:

Code:

[root@WhiteFire ~]# ls -la /home/bsa97.org/logs/
total 24
drwx------ 2 apache    apache    4096 2007-06-25 16:04 .
drwxrwxrwx 4 bsa97.org bsa97.org 4096 2007-06-25 16:17 ..
-rwxrwxrwx 1 apache    apache       0 2007-06-25 16:26 access_log
-rwxrwxrwx 1 apache    apache       0 2007-06-25 16:26 error_log
[root@WhiteFire ~]#

I feel like it's something simple I'm overlooking.

Thanks for all your help, it truly is appreciated.

nx5000 · 06-25-2007, 05:48 PM

Quote:

Originally Posted by benrose111488

sorry about the lack of human words. Just trying to be as efficient as possible.

Sorry but there are too many people not even saying thank you that I sometimes get very quickly annoyed.

Quote:

I'm using Fedora 7 on the server, /etc/httpd/logs is actually a symlink to /var/log/httpd

Okay if it's a link then it's more or less ok. /etc is the configuration place.

Quote:

Here's the ps output:

Code:

[root@WhiteFire ~]# ps -A | grep httpd
 3577 ?        00:00:01 httpd
 3579 ?        00:00:00 httpd
 3580 ?        00:00:00 httpd
 3581 ?        00:00:00 httpd
 3582 ?        00:00:00 httpd
 3583 ?        00:00:00 httpd
 3584 ?        00:00:00 httpd
 3585 ?        00:00:00 httpd
 3586 ?        00:00:00 httpd
 3587 ?        00:00:00 httpd

You need to show the complete fields of ps, probably
ps auxf | grep httpd

Quote:

and here's mount:

Code:

[root@WhiteFire ~]# mount
/dev/md0 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

Okay /etc is in / which is rw and not readonly (ro)
Hum

Quote:

ls -la output:

Code:

[root@WhiteFire ~]# ls -la /home/bsa97.org/logs/
total 24
drwx------ 2 apache    apache    4096 2007-06-25 16:04 .
drwxrwxrwx 4 bsa97.org bsa97.org 4096 2007-06-25 16:17 ..
-rwxrwxrwx 1 apache    apache       0 2007-06-25 16:26 access_log
-rwxrwxrwx 1 apache    apache       0 2007-06-25 16:26 error_log
[root@WhiteFire ~]#

Hum apache is displays which means the apache user exist. I guess then httpd uses this UID. Check the ps.

Quote:

I feel like it's something simple I'm overlooking.

Yep should be.
If it's something linked with selinux then I'm lost because I don't use it. Or maybe ACLs?

Quote:

Thanks for all your help, it truly is appreciated.

No problem
But I think I'm not going anywhere more than you at the moment.

benrose111488 · 06-25-2007, 06:14 PM

Code:

[root@WhiteFire html]# ps auxf | grep httpd
root      3577  0.0  5.4 102176 20952 ?        Ss   18:24   0:01 /usr/sbin/httpd
apache    3579  0.0  0.9  25912  3824 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3580  0.0  3.6 103260 13876 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3581  0.0  2.8 102844 10976 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3582  0.0  2.3 102180  8956 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3583  0.0  2.7 102708 10424 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3584  0.0  2.8 102844 11020 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3585  0.0  3.0 103240 11744 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3586  0.0  2.3 102180  8956 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3587  0.0  2.3 102180  8956 ?        S    18:24   0:00  \_ /usr/sbin/httpd
apache    3598  0.0  2.8 102844 11032 ?        S    18:27   0:00  \_ /usr/sbin/httpd
apache    3615  0.0  2.8 102844 10972 ?        S    18:32   0:00  \_ /usr/sbin/httpd
apache    3618  0.0  2.3 102180  8956 ?        S    18:34   0:00  \_ /usr/sbin/httpd
apache    3645  0.0  2.3 102180  8940 ?        S    18:48   0:00  \_ /usr/sbin/httpd
apache    3646  0.0  2.8 102844 10956 ?        S    18:48   0:00  \_ /usr/sbin/httpd
apache    3647  0.0  2.8 102844 10980 ?        S    18:48   0:00  \_ /usr/sbin/httpd
apache    3687  0.0  2.3 102180  8936 ?        S    19:03   0:00  \_ /usr/sbin/httpd
[root@WhiteFire html]#

oh, trust me, I've seen my fair share of no-thank-you-ers. I'd hate to be perceived as one.

I'm ready to just do a dirty fix, make the logs in the default apache log directory as a different name (which works, btw), and then just symlink to them from the home directory. I know it doesn't really FIX the problem, but it fixes the problem :P

Again, thanks for your help. The Linux community is great, and this is why.

nx5000 · 06-25-2007, 06:30 PM

It's always the nice people that I annoy. Sorry

Okay, I'm pretty sure it's some SELINUX stuffs or a security feature of RedHat/Fedora which I don't know at all.
I hope somebody has knowledge in this and can answer.

benrose111488 · 06-25-2007, 07:05 PM

I figured it out!!!! ROFLcopters!!!!

Ok so it was because I'm a total idiot, and it won't access the logs unless the namehosts are config'd properly.

Here's the proper VH layout:

Code:

NameVirtualHost MY_IP:80
<VirtualHost MY_IP:80>
        Options Indexes FollowSymLinks
        ServerAdmin MY_EMAIL_ADDRESS
        DocumentRoot /var/www/html
        ServerName MY_IP
        ErrorLog logs/error_log
        CustomLog logs/access_log common
        DirectoryIndex index.html index.php
</VirtualHost>

NameVirtualHost bsa97.org:80
<VirtualHost bsa97.org:80>
        Options Indexes FollowSymLinks
        ServerAdmin MY_EMAIL_ADDRESS
        DocumentRoot /home/bsa97.org/public_html
        ServerName www.bsa97.org
        ErrorLog /home/bsa97.org/logs/error_log
        CustomLog /home/bsa97.org/logs/access_log common
        DirectoryIndex index.html index.php
</VirtualHost>

permissions are as usual, -rw-r--r-- for both access_log and error_log.

Hope this helps someone!

benrose111488 · 06-25-2007, 07:47 PM

oops I lied, it is something to do with selinux.

I'm working on a fix now... does anyone know how to configure selinux from a command line??

nx5000 · 06-26-2007, 10:34 AM

Quote:

Originally Posted by benrose111488

oops I lied, it is something to do with selinux.

I'm working on a fix now... does anyone know how to configure selinux from a command line??

Now that you know it's selinux and not really apache, you could open a new thread I think. In "security subforum" there are a lot of people who know this.

benrose111488 · 06-26-2007, 12:54 PM

actually, I figured it out for real this time. www.bsa97.org is now up and running... check it out! (it sucks thus far - soon to be better!)

anyway, this is how you do it

Code:

setsebool -P httpd_enable_homedirs=1
setsebool -P allow_httpd_anon_write=1
setsebool -P allow_httpd_sys_script_anon_write=1
chcon -R -t httpd_sys_script_rw_t /path/to/directory/or/file.txt
chcon -R -t httpd_sys_content_t /path/to/directory/or/file.txt

then after that, to add more files and folders that httpd can access, just run the last 2 commands on the file or folder. Hope this helps someone in the future!