Link to home
Create AccountLog in
Avatar of burtonrhodes
burtonrhodes

asked on

Best way to grant read access to apache and tomcat log file directories (linux)?

I'm sure this is an easy answer, but I can't seem to find a "best practices" answer to access /var/log/apache2 and /var/log/tomcat6 log file directories to view the logs.  

some suggest I add my username to "root" group or change both directories to chmod +x.  Just curious what the best route is without opening to wide a security hole somewhere.

Ultimately I am wanting to view these files via my SFTP (WinSCP) access.

Many thanks!
Avatar of Gary
Gary
Flag of Ireland image

Don't give anyone but root access to the logs, instead create a symlink to the file/s
Avatar of burtonrhodes
burtonrhodes

ASKER

Okay - so what am I doing wrong in this instance - I still get "permission denied."

ln -s /var/log/apache2/ ~/logs_apache2

cd logs_apache2  gives me "permission denied"
SOLUTION
Avatar of Gary
Gary
Flag of Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I don't know - should I be okay with full folder access?

However, I asumme you mean I should give symlink directly to the log file, but when I do:

 ln -s /var/log/apache2/error.log ~/apache2_errorlog.log

I still get "permission denied" on "~$ more apache2_errorlog.log"
Maybe a better question is how do you give access to the log files if you need to see log files for tomcat or apache via SFTP (e.g WinSCP)?
Did you give permissions to the folder?
yes.

ls -l gives...

[directory]
drw-r--r-- 2 root root 4096 Nov 11 14:08 apache2

[file]
-rw-r--r-- 1 root amn 3580 Nov 11 10:00 error.log
my username only belongs to "sudo" if that's relavent.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
These are custom logs that are created by my webapp (tomcat mostly).  There are occasions when I get an "random" application error from my web application.  To follow up, I need to check the log files.  It's much easier to check these logs via a GUI interface (e.g. WinSCP/SFTP) than on the command-line.  So I am asking for the best way to allow access to these log file directories without having to SSH in and "sudo -i" to check the logs.  It's sort of a pain.

FYI, I do have logcheck in place for other "standard" log issues.
You can use setfacl to extend access rights to your user

Do you have automated log processing setup? You can use that to proactively notify you of unexpected events and have the process provide you the access of those snippets in your user's home dir.
Yes, I have "logcheck" monitoring my log files.

I was not aware of setfacl.  I assume I would do something like below?  

setfacl -m u:[username]:rx /var/log/apache2
setfacl -m u:[username]:rx /var/log/tomcat6
Yes, but the problem is that setfacl does not recursively apply, you may also need to add the mask to grant access to newly created files to inherit those permissions as well.

Usually errors are in their own error log file.
what is I just added my username to say the "tomcat6" group?  Is that a better way to do this?
That is fine as long as the permissions on the tomcat6 include group rights
Chmod 750 /var/log/tomcat6
And the permissions within are 640 for the files.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
my mistake : "add yourself to the user" should be "add yourself to the group" : must have been tired then...