Instructions applicable for Debian or Debian deriatives like Ubuntu. To use for other distros or directories, simply switch the affected directories in the steps.
In this example, the user group is "angela," change that to whatever group you wish to grant access, like "devs"
As root, set the acl:
setfacl -m g:angela:rx /var/log/apache2/*
With this, we set both read and write permissions, so they can also tail
when needed.
Which immediately grants access. However, when logrotate is ran, it will reset the permanent rules. To instruct logrotate to reissue access, create the following file:
nano /etc/logrotate.d/apache-logs
Populate with the following:
/var/log/apache2/*.log {
postrotate
/usr/bin/setfacl -m g:angela:rx /var/log/apache2/*
endscript
}
Let's see if the rules are set, buy running:
getfacl /var/log/apache2/
The output should look something like this:
root@[/etc/logrotate.d]# getfacl /var/log/apache2
getfacl: Removing leading '/' from absolute path names
# file: var/log/apache2
# owner: root
# group: adm
user::rwx
group::r-x
group:angela:r-x
mask::r-x
other::---
Run logrotate in debug mode, to see what will happen when logrotate executes:
logrotate -d apache-logs
If you want to force logrotate to execute this rule (optional):
logrotate -vf apache-logs
Easy!
Now, the user can view or tail all of the apache2 logs without requiring root.
It's been a while since I used this so I definitely may have missed a step in my notes, care to share your fix? Surely it would help someone else in the future