1

Ubuntu 11.10 server

I have a user bob who's home directory is /home/sites/bob. In that there are directories public_html and logs.

Apache runs under the www-data user. bob's primary group is www-data. Apache updates the access.log and error.log in the logs directory. The two log files are owned by root:root and have permission 644.

The bob user logs in to an FTP server which works. The problem is bob can delete or overwrite the two log files. I need Apache to be able to write to the logs, and for bob to only have read access - no overwriting or deleting the logs. How can this be done?

What I've tried:

cd /home/sites/bob
chown www-data:www-data logs
chmod 644 logs

I expected this to work because it should give Apache write access and the www-data group (i.e the bob user) just read access. What actually happens is in the FTP session bob can see logs in the directory list but he can't open it up, when he tries to change to logs, the error is:

Command: CWD logs
Response: 550 logs: No such file or directory
Error: Failed to retrieve directory listing

So my question is how can I give write access to Apache (www-data) to logs but only read access (and no delete) to bob?

ServerBloke
  • 402
  • 1
  • 10
  • 20

1 Answers1

1

You need to give execute permission on the logs directory, otherwise the user cannot enter the directory. 

chmod 754 logs/
faker
  • 17,496
  • 2
  • 60
  • 70
  • out of interest, do you know why Apache creates the log files with ownership `root:root`? I expected it to create them as `www-data:www-data`? – ServerBloke Mar 11 '13 at 16:51
  • 1
    Yes, this is a security measure. It prevents certain attacks. E.g. requesting a non existing page in order to write evil code into the access/error log file, afterwards using a vulnerability in an installed application to include the logfile and execute the code. See also: http://httpd.apache.org/docs/2.2/logs.html – faker Mar 11 '13 at 17:00
  • Thankyou. Finally can I just ask why do I need the execute permission on the owner and not the group? E.g. why `754` and not `674` because the FTP user is the one that enters the directory and he gains permission through the group not the owner? – ServerBloke Mar 11 '13 at 17:13
  • `754` gives execute permission to both the user and group. The user does not necessarily need it in your case (since `www-data` user is part of `www-data` group anyway) but in my opinion the permission is easier to read when also giving it to the user. – faker Mar 11 '13 at 17:22