Failing to understand apache permissions for log files

Issues related to applications and software problems
Post Reply
LeonardChallis
Posts: 6
Joined: 2014/04/14 09:35:35

Failing to understand apache permissions for log files

Post by LeonardChallis » 2014/04/21 09:19:26

I have a simple LAMP stack on CentOS setup. Apache is setup with vhosts and each developer has their web files inside their user folder. The directory structure is like so (for the user `test`):

Code: Select all

    /home/test
    |_ apache
       |_ domain1.com
          |_ backups
          |_ conf
             |_ vhost.conf
          |_ logs
             |_ errors.log
             |_ images.log
             |_ web.log
          |_ private
          |_ public
The vhost config is in the vhost.conf file. The log files in logs don't exist when the config is first setup, and this throws an error with apache when I run `service httpd restart`:

Code: Select all

    (13)Permission denied: httpd: could not open error log file /home/test/apache/domain1.com/logs/error.log.
    Unable to open logs
I tried running `httpd -X` as root and it created the log files (with root ownership/group). I thought it would be a case of making sure that the files are there, with group set as `apache` and writeable (so I don't have to make the whole directory belong to `apache` group and writeable), but this confuses me:

Code: Select all

    [root@dev logs]# ls -al
    total 16
    drwxr-xr-x. 2 test developers 4096 Apr 18 21:02 .
    drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
    -rw-r--r--. 1 test developers 1818 Apr 18 21:02 error.log
    -rw-r--r--. 1 test developers   14 Apr 18 20:25 .gitignore
    -rw-r--r--. 1 test developers    0 Apr 18 20:54 image.log
    [root@dev logs]# service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [FAILED]
    [root@dev logs]# touch web.log
    [root@dev logs]# chown test:developers web.log
    [root@dev logs]# service httpd restart
    Stopping httpd:                                            [FAILED]
    Starting httpd:                                            [  OK  ]
I'm confused because apache runs as user `apache` and shouldn't have write access on the logs, should it? In fact, I can even do this:

Code: Select all

    [root@dev logs]# rm -f ./*.log
    [root@dev logs]# touch {error.log,image.log,web.log}
    [root@dev logs]# ls -al
    total 12
    drwxr-xr-x. 2 test developers 4096 Apr 18 21:10 .
    drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
    -rw-r--r--. 1 root root          0 Apr 18 21:10 error.log
    -rw-r--r--. 1 test developers   14 Apr 18 20:25 .gitignore
    -rw-r--r--. 1 root root          0 Apr 18 21:10 image.log
    -rw-r--r--. 1 root root          0 Apr 18 21:10 web.log
    [root@dev logs]# service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [  OK  ]
I now have log files owned by root and it still starts up - and it writes to them too - if I tail web.log and browse to that page the logs start showing up.

I'm obviously not quite grasping something here, so what am I missing? I would prefer not to have to create the log files manually and allow apache to do that itself, but regardless, I'd just like to understand why this is happening - especially when I get round to allowing PHP to mess with files.

I was told looking in the audit log would help. I'm not sure how myself but here is what happens when tailing it when starting apache when it errors:

Code: Select all

    type=AVC msg=audit(1397906748.752:49390): avc:  denied  { write } for  pid=19433 comm="httpd" name="logs" dev=md2 ino=7210204 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
    type=SYSCALL msg=audit(1397906748.752:49390): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bb740e598 a1=80441 a2=1b6 a3=752e6f632e74756f items=0 ppid=19432 pid=19433 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=128 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
When running with the logs existing nothing else is added to the log. The `Permission denied: httpd: could not ...` error was from the general log.

tigalch
QA Team
Posts: 522
Joined: 2012/06/23 17:28:41
Location: Austria

Re: Failing to understand apache permissions for log files

Post by tigalch » 2014/04/21 11:17:09

Taking into account the SElinux log, I'm pretty shure httpd fails because the logfiles are set with the right SElinux context (the httpd logs usually reside under /var/log/httpd). Try setting the same SElinux context to your designated log directories.

Post Reply