Instructions applicable for Debian or Debian deriatives like Ubuntu. To use for other distros or directories, simply switch the affected directories in the steps.
In this example, the user group is "angela," change that to whatever group you wish to grant access, like "devs"
As root, set the acl:
setfacl -m g:angela:rx /var/log/apache2/*
With this, we set both read and write permissions, so they can also tail
when needed.
Which immediately grants access. However, when logrotate is ran, it will reset the permanent rules. To instruct logrotate to reissue access, create the following file:
nano /etc/logrotate.d/apache-logs
Populate with the following:
/var/log/apache2/*.log {
postrotate
/usr/bin/setfacl -m g:angela:rx /var/log/apache2/*
endscript
}
Let's see if the rules are set, buy running:
getfacl /var/log/apache2/
The output should look something like this:
root@[/etc/logrotate.d]# getfacl /var/log/apache2
getfacl: Removing leading '/' from absolute path names
# file: var/log/apache2
# owner: root
# group: adm
user::rwx
group::r-x
group:angela:r-x
mask::r-x
other::---
Run logrotate in debug mode, to see what will happen when logrotate executes:
logrotate -d apache-logs
If you want to force logrotate to execute this rule (optional):
logrotate -vf apache-logs
Easy!
Now, the user can view or tail all of the apache2 logs without requiring root.
Just a little... correction?... I don't know.
I had to apply the ACL to the folder instead of the files. Applying the permission to only the files was ineffective because group didn't have read access to the folder, so all files under it were hidden.