40

I'm writing a new daemon, which will be hosted on Debian Linux.

I've found that /var/log has root only write permissions, so my daemon cannot write log files there.

However, if it writes there, it appears it will gain automatic log rotation, and also work as a user might expect.

What is the recommended way for a daemon to write log entries that appear in /var/log, without having to be run as root?

The daemon is a webserver, so the log traffic will be similar to Apache.

John McAleely
  • 1,929
  • 2
  • 18
  • 35

4 Answers4

49

You should create a subdirectory like /var/log/mydaemon having the daemon's user ownership

WiseTechi
  • 3,528
  • 1
  • 22
  • 15
  • How about giving write permission to /var/log/mydaemon instead of doing chown? – Kapil Vyas Jun 25 '18 at 20:59
  • Definitely doable, but you have to rely on a common group to achieve that so it's more complex than just setting the proper ownership. – WiseTechi Jul 02 '18 at 09:17
17

As root, create a logfile there and change the files owner to the webserver user:

# touch /var/log/myserver.log
# chown wwwuser /var/log/myserver.log

Then the server can write to the files if run as user wwwuser. It will not gain automatic log rotation, though. You have to add the logfile to /etc/logrotate.conf or /etc/logrotate.d/... and make your server reopen the logfile when logrotate signals it should.

You might also use syslog for logging, if that fit's your scenario better.

Umur Kontacı
  • 35,403
  • 8
  • 73
  • 96
sth
  • 222,467
  • 53
  • 283
  • 367
  • 2
    its better to put the logs in a subdirectory as WiseTechi's answer mentions. If you have the file in /var/log and the file gets deleted, the non-root process will not be able to re-create the file – Athir Nuaimi Sep 25 '15 at 17:41
  • Also the daemon wouldn't be able to log rotate, as it doesn't have permissions to create new files in the logdir. – Ákos Vandra-Meyer Jan 09 '17 at 01:35
  • Usually the daemon doesn't have to recreate the file, but logrotated renames the existing log and creates a new logfile with the correct permissions. Then it tells the demon to use the new file, which it can since it already has correct permissions. – sth Jan 09 '17 at 14:31
4

Two options:

  1. Start as root, open the file, then drop permissions with setuid. (I don't remember the exact system calls for dropping permissions.) You'll have to do this anyway if you want to bind to TCP port 80 or any port below 1024.
  2. Create a subdirectory like /var/log/mydaemon having the daemon's user ownership, as WiseTechi said.

Files under /var/log aren't automatically rotated; instead, rotation is controlled by /etc/logrotate.conf and files under /etc/logrotate.d.

Community
  • 1
  • 1
Josh Kelley
  • 56,064
  • 19
  • 146
  • 246
3

use the "logger" command

http://linux.die.net/man/1/logger

phatypus
  • 772
  • 3
  • 9
  • 19
  • 2
    logger is bound by the same permission restrictions as any other program. You still need to fix those before using logger. – pavon May 06 '13 at 06:00
  • @pavon That doesn't seem to be correct, for Ubuntu 18.04 at least. `echo "test" > /var/log/my_log` will fail but `logger "test"` will succeed. – aidan Jan 31 '19 at 03:43