I'm primarily a
User Developer Sysadmin A mixture Something else entirely .. ( 692 votes ~ 10 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Apache log files - per site log files:
#2 Re: Apache log files - per site log files Posted by simonw (84.45.xx.xx) on Wed 30 Nov 2005 at 18:18 Correct! I found that after posting, the ownership and permissions are defined in /etc/logrotate.d/apache2 However I still don't see the elegant way of having the logs in the customers directory, because they are written as root, the symlink to an important file thing could happen. Perhaps I'll test it, and see how stupid Apache2 is. I'm leaning to putting a ".htpasswd" in "/var/log/apache2/$ServerName", and letting them get the logs via authenticated HTTP, seems a lot safer all round, if a tad recursive in nature. The basics of the problem remaining are; 1) we let users FTP to "/home/$username", chrooted, and they see their site as under "/" 2) we allow some users to put their own CGI scripts (bad karma). 3) we'd like to put the log files in the ftp space. 4) "/home/$username" is writable by $username. So whereever we put the logs there is a potential of them creating a symlink via CGI, and blatting an important file with the Apache log. The simple elegant solution is to have "logs" and "public_html" in home, and remove write permissions from "/home/$username" and "/home/$username/logs" (and chown root:adm logs; chmod 1755 logs for paranoias sake). The other elegant solution is write to "~/.access.log" and "~/.error.log", chown, and set the sticky bit on ~, but some users do have Apache create content in there home directory (I know, more bad karma, but it happens) and like to be able to change that via ftp as well. If we could persuade them to pay us to save them from themselves.... But we'd have to reeducate people, and the trouble we had teaching them what the "directory" setting in Dreamweaver does.... Why is Dreamweaver so bad at FTP? Of course I could have ignored the security problem, no one would probably ever notice, especially if I chown'ed and chmod ".logs" to make it look more secure, but I like to try and understand these things properly.
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
