How to set default file permissions for (custom) Apache log files?

Zippy1970 · 03-27-2014, 01:38 PM

Is there a way to set the default file permssion of the log files created by Apache? They are set to 0644 by default (apparently) but I want them set to 0600.

John VV · 03-27-2014, 02:53 PM

0644
that 0 at the start
i am assuming this is RHEL 5 or 6 ( selinux)

you really do not want to change it to 0600
the users "apache" and "user" need to be able to read the files

Zippy1970 · 03-27-2014, 03:37 PM

Quote:

Originally Posted by John VV

you really do not want to change it to 0600
the users "apache" and "user" need to be able to read the files

Why?

Edit: I assume that with "apache" you mean the web user? And who/what do you mean with "user"?
(I have neither a user "apache" nor "user" on my system)

John VV · 03-27-2014, 03:48 PM

the apache web server IS owned by the user "apache" ( just NO $HOME folder)
just like Mysql is owned by the user "mysql"
and all redhat based systems have a group called "users"
and those users and groups need to be able to read the log

run "chmod" on the log

but expect problems afterward , it is your set up . Do what you want

Zippy1970 · 03-27-2014, 04:11 PM

Quote:

Originally Posted by John VV

the apache web server IS owned by the user "apache" ( just NO $HOME folder)

I understand that apache runs (not owned) as user "apache" (or "www", "www-data", etc depending on the distro).

But the log files are owned by user root. And user root is the only user allowed to write to them.

Quote:

just like Mysql is owned by the user "mysql"
and all redhat based systems have a group called "users"
and those users and groups need to be able to read the log

Again, why?

Quote:

run "chmod" on the log
but expect problems afterward , it is your set up . Do what you want

Which is exactly the reason why "run chmod" is terrible advice to give.

I want the logfiles to get the default file permissions of 0640 (0600 was a typo) by whichever service creates the logfiles.

Zippy1970 · 03-27-2014, 05:04 PM

To answer my own question, one way of doing this is by adding

umask 026

to the file /etc/apache2/envvars.

But this will cause all files created by Apache (either as the web user or root) to get the default file permissions of 0640 (-rw-r-----). I only want the log files to get these file permissions.

PS: The interwebs seems to be devided as to whether or not envvars is the proper place to add the umask.

Ake Torngren · 04-02-2014, 01:45 AM

Adding my two cents.
I just moved from Linux Fedora 14 to Fedora 20,
then donwloaded/installed Apache (which is no longer on
the install DVD), and ran into this "You don't
have access" problem, until I found that SELunix
was the culprit. Depending on your flavour of
Linux, this might apply to some of you as well.
To find out whether SELinux is active, enter
"getenforce". If you get "Enabled" then look
in "/var/log/audit/audit.log".
You might see lines like
... denied { getattr } ... comm="httpd" path="/var/www/html/index.html"
Then decide whether
1) You DON'T want/need SELunix. Then edit
"/etc/selinux/config" and change the relevant
line to "SELINUX=disabled", then reboot.
2) You DO want/need SELunix. Then study SELunix
and change whatever settings. (I can't help
you with this, since I opted for 1 above.)