Instructions applicable for Debian or Debian deriatives like Ubuntu. To use for other distros or directories, simply switch the affected directories in the steps.
In this example, the user group is "angela," change that to whatever group you wish to grant access, like "devs"
As root, set the acl:
setfacl -m g:angela:rx /var/log/apache2/*
With this, we set both read and write permissions, so they can also tail
when needed.
Which immediately grants access. However, when logrotate is ran, it will reset the permanent rules. To instruct logrotate to reissue access, create the following file:
nano /etc/logrotate.d/apache-logs
Populate with the following:
/var/log/apache2/*.log {
postrotate
/usr/bin/setfacl -m g:angela:rx /var/log/apache2/*
endscript
}
Let's see if the rules are set, buy running:
getfacl /var/log/apache2/
The output should look something like this:
root@[/etc/logrotate.d]# getfacl /var/log/apache2
getfacl: Removing leading '/' from absolute path names
# file: var/log/apache2
# owner: root
# group: adm
user::rwx
group::r-x
group:angela:r-x
mask::r-x
other::---
Run logrotate in debug mode, to see what will happen when logrotate executes:
logrotate -d apache-logs
If you want to force logrotate to execute this rule (optional):
logrotate -vf apache-logs
Easy!
Now, the user can view or tail all of the apache2 logs without requiring root.
Another solution is to use default ACL on /var/log/apache2, this works without modifying the logrotate configuration:
The drawback is, that you cannot apply the ACL only to specific files in the folder.