Posted by simonw on Wed 30 Nov 2005 at 16:44
I want to hand out Apache access log files to hosted customers on a shared server for measurement purposes, at least weekly. I also want them to have access to "error.log" in near real time.
Looking at Debian Sarge Apache2 log files are created "root adm rw-r-----" when Apache2 runs as "www-data www-data", I assume thus it writing to them from the one Apache2 task listed as "root"?
The security docs say I mustn't allow customers "write" to the directory the log files are in, so I suspect I must use some keen permissions (or symbolic links) so the directory appears as "~/.logs" but isn't writable.
Whilst I can see a relatively simple solution with a "chmod" on the logrotate scripts, and a mess of symbolic links, I get the feeling I'm solving a problem solved a million times before (well many thousands of times).
Server doesn't have so many sites that I'm "that" worried about file handles.
split-logfile is too simple, as it doesn't seem to handle "ServerAlias"
Is there an elegant solution before I create my less than elegant solution?
Can Apache be told to change its default log file permissions, or do I hack a umask into the startup script?This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 simonw - please ask for permission to republish or translate.