12

I have 2 users on my server. One with sudo access another without. How can i give access to nginx logs 

/var/log/nginx/error.log

To another user without sudo permission to use cat /var/log/nginx/error.log ? Can i create something like a symlink to log in his /home/username directory?

So my question is - how can a user without sudo permission check nginx logs?

Alexander Kim
  • 597
  • 3
  • 8
  • 21
  • `sudo` access to what? It is not clear from your question. I know some people make 'sudo access' to mean 'root access', but that is not technically accurate. Please ellaborate. – dawud Nov 10 '14 at 14:12
  • 1
    yeah you could use `sudo` to give him the permissions actually, depending how you want to configure it. – gparent Nov 10 '14 at 14:41
  • You could use ACLs. e.g. `setfacl -m 'user:someuser:r' /var/log/nginx/error.log`. I'm not sure how that would work with logrotate. `sudo` access to cat/tail/etc the log is probably a better option anyway.` – Greg Bowser Nov 10 '14 at 14:45
  • @GregBowser IMHO, using ACLs without understanding ACLs is a recipe for problem. – Paul Nov 11 '14 at 01:09

1 Answers1

16

For example, like this:

chmod 755 /var/log/nginx && chmod 644 /var/log/nginx/*.log && chmod 644 /var/log/nginx/*.gz

this way anyone will be able to cwd and read the contents of the /var/log/nginx directory and read the *.log files.

You should also check the log rotating configuration so the permissions won't be changed again. For the last several versions of Nginx, up to and including 1.6.2, the file /etc/logrotate.d/nginx has used the line create 0640 www-data adm to set permissions when rotating logs. This should be changed to something like create 0644 www-data adm. It should be noted that this solution allows all users on the server to read all Nginx logs.

Update: logrotate configs also should be updated to include the su www-data adm to allow the logadm utility to work without complaining about incorrect directory permissions.

drookie
  • 8,625
  • 1
  • 19
  • 29
  • 3
    Default Nginx configuration in `/etc/logrotate.d/nginx` is `create 0640 www-data adm`. That's in 1.6.2, but I don't think that line has changed in quite some time. – Paul Nov 10 '14 at 16:13
  • 1
    This answer is writtent so it would be universal and generic, rather than ubuntu-nginx-1.6.2-20141110-specific. – drookie Nov 10 '14 at 17:49
  • 1
    nginx config in logrotate d was resetting it. Fixed it by changing it. –  Dec 29 '17 at 06:14
  • Is there no other way to solve this, such when a different user tries to start nginx that it uses a different log path? I tried adding it to my new nginx.conf file but when running nginx -c newnginx.conf on this new user, it still tries to access the /var/log/nginx... – Poul K. Sørensen Sep 24 '18 at 13:53