Skip to content

Instantly share code, notes, and snippets.

@angela-d

angela-d/README.md

Last active October 14, 2023 23:24
Show Gist options
  • Save angela-d/8a2416034ea7ed89ecde37147e8711ba to your computer and use it in GitHub Desktop.
Save angela-d/8a2416034ea7ed89ecde37147e8711ba to your computer and use it in GitHub Desktop.
Download ZIP
Allow Non-root users acess to Apache logs
Raw
README.md

Non-root user access to Apache logs

Instructions applicable for Debian or Debian deriatives like Ubuntu. To use for other distros or directories, simply switch the affected directories in the steps.

In this example, the user group is "angela," change that to whatever group you wish to grant access, like "devs"

As root, set the acl:

setfacl -m g:angela:rx /var/log/apache2/*

With this, we set both read and write permissions, so they can also tail when needed.

Which immediately grants access. However, when logrotate is ran, it will reset the permanent rules. To instruct logrotate to reissue access, create the following file:

nano /etc/logrotate.d/apache-logs

Populate with the following:

/var/log/apache2/*.log {
    postrotate
        /usr/bin/setfacl -m g:angela:rx /var/log/apache2/*
    endscript
}

Let's see if the rules are set, buy running:

getfacl /var/log/apache2/

The output should look something like this:

root@[/etc/logrotate.d]# getfacl /var/log/apache2
getfacl: Removing leading '/' from absolute path names
# file: var/log/apache2
# owner: root
# group: adm
user::rwx
group::r-x
group:angela:r-x
mask::r-x
other::---

Run logrotate in debug mode, to see what will happen when logrotate executes:

logrotate -d apache-logs

If you want to force logrotate to execute this rule (optional):

logrotate -vf apache-logs

Easy!

Now, the user can view or tail all of the apache2 logs without requiring root.

@FromOopsToOps
Copy link

Just a little... correction?... I don't know.
I had to apply the ACL to the folder instead of the files. Applying the permission to only the files was ineffective because group didn't have read access to the folder, so all files under it were hidden.

@angela-d
Copy link
Author

angela-d commented Jun 3, 2022

Just a little... correction?... I don't know. I had to apply the ACL to the folder instead of the files. Applying the permission to only the files was ineffective because group didn't have read access to the folder, so all files under it were hidden.

It's been a while since I used this so I definitely may have missed a step in my notes, care to share your fix? Surely it would help someone else in the future

@aristipp
Copy link

aristipp commented Jun 16, 2022
edited
Loading

Another solution is to use default ACL on /var/log/apache2, this works without modifying the logrotate configuration:

# set default acl recursive (-R) and default (-d) (will be inherited by new files) acl for user and group id 1001 on /var/log/apache2
setfacl -Rdm u:1001:r /var/log/apache2
setfacl -Rdm g:1001:r /var/log/apache2
 
# make directory readable by user and group id 1001
setfacl -m u:1001:rx /var/log/apache2
setfacl -m g:1001:rx /var/log/apache2
 
# make all existent active logs readable by user and group id 1001
setfacl -m u:1001:r /var/log/apache2/*.log
setfacl -m g:1001:r /var/log/apache2/*.log

# make all existent archived logs readable by user and group id 1001
setfacl -m u:1001:r /var/log/apache2/*.log*
setfacl -m g:1001:r /var/log/apache2/*.log*

The drawback is, that you cannot apply the ACL only to specific files in the folder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment