You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Aaron Wolski <aa...@martekbiz.com> on 2004/03/24 16:17:43 UTC

[users@httpd] access_logs not writing!

Hi All,
 
I HOPE this is the list I can ask this question.
 
Recently setup a dedicated server for my clients. I have access_log
being written into the customers home/username/logs directory. This was
working.
 
I then setup logrotation to be run everyday, which works but the problem
is when a rotation occurs. access_log will not write UNLESS apache is
restarted.
 
Does ANYONE know ro understand what is causing this problem?
 
Thanks so much for any hhelp!!
 
Aaron

RE: [users@httpd] access_logs not writing!

Posted by Aaron Wolski <aa...@martekbiz.com>.

> > > "killall -HUP httpd" is WAY more disruptive to your server than a
> > > graceful restart!
> > >
> >
> > True, but a graceful restart isn't always enough.
> > I'm not sure in this case tbh but I've a feeling that it's one of
the
> > times something a little more forceful is needed...
> 
> Nope.  As the docs say, graceful is sufficient for rotating the logs.
> 

It should be noted that I have decided to do as the manual suggests to
use the 'apachectl graceful' command in my logrotate/httpd script.

Thanks to both of you! You have helped!!!!!

Aaron


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

On Wed, 24 Mar 2004, Adam Buglass wrote:

> On Wed, 2004-03-24 at 16:53, Joshua Slive wrote:
> > On Wed, 24 Mar 2004, Aaron Wolski wrote:
> > > Well... it seems this have worked:
> >
> > > /usr/bin/killall -HUP httpd 2> /dev/null || true
> >
> > > access_log does start rewriting without having to go graceful!
> >
> > "killall -HUP httpd" is WAY more disruptive to your server than a
> > graceful restart!
> >
>
> True, but a graceful restart isn't always enough.
> I'm not sure in this case tbh but I've a feeling that it's one of the
> times something a little more forceful is needed...

Nope.  As the docs say, graceful is sufficient for rotating the logs.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Adam Buglass <ad...@ncl.ac.uk>.

On Wed, 2004-03-24 at 16:53, Joshua Slive wrote:
> On Wed, 24 Mar 2004, Aaron Wolski wrote:
> > Well... it seems this have worked:
> 
> > /usr/bin/killall -HUP httpd 2> /dev/null || true
> 
> > access_log does start rewriting without having to go graceful!
> 
> "killall -HUP httpd" is WAY more disruptive to your server than a
> graceful restart!
> 

True, but a graceful restart isn't always enough.
I'm not sure in this case tbh but I've a feeling that it's one of the
times something a little more forceful is needed...



> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
-- 

Adam Buglass,  ><>
The Golden Freeway,
Department of Child Health,
University of Newcastle-upon-Tyne.
Royal Victoria Infirmary.

(0191) 2023062

"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote." 
~Benjamin Franklin, 1759


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

On Wed, 24 Mar 2004, Aaron Wolski wrote:
> Well... it seems this have worked:

> /usr/bin/killall -HUP httpd 2> /dev/null || true

> access_log does start rewriting without having to go graceful!

"killall -HUP httpd" is WAY more disruptive to your server than a
graceful restart!

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Aaron Wolski <aa...@martekbiz.com>.

Hi Adam,

Well... it seems this have worked:

/home/*/logs/access_log {
monthly
missingok
rotate 1
postrotate
/usr/bin/killall -HUP httpd 2> /dev/null || true
endscript
compress
}

I have this in my /etc/logrotate.d/httpd file.

access_log does start rewriting without having to go graceful!

Thanks for the help on this.

Regards,

Aaron

> -----Original Message-----
> From: Adam Buglass [mailto:adam.buglass@ncl.ac.uk]
> Sent: March 24, 2004 10:40 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] access_logs not writing!
> 
> <snip>
> > http://httpd.apache.org/docs-2.0/logs.html#rotation
> >
> > You do need to restart apache (gracefully), but this shouldn't be a
> > problem.
> >
> > Also, you do know that writing logs to a directory owned by a
non-root
> > user is essentially equivalent to giving that user root, right?
> > See:
> > http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot
> >
> > Joshua.
> >
> Best way to do it, use a shell script. Something like this:
> 
> /var/log/httpd/error {
>     missingok
>     postrotate
>         /usr/bin/killall -HUP httpd 2> /dev/null || true
>     endscript
> }
> 
> HTH
> Adam
> 
> 
> >
> >
---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] access_logs not writing!

Posted by Adam Buglass <ad...@ncl.ac.uk>.

<snip>
> http://httpd.apache.org/docs-2.0/logs.html#rotation
> 
> You do need to restart apache (gracefully), but this shouldn't be a
> problem.
> 
> Also, you do know that writing logs to a directory owned by a non-root
> user is essentially equivalent to giving that user root, right?
> See:
> http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot
> 
> Joshua.
> 
Best way to do it, use a shell script. Something like this:

/var/log/httpd/error {
    missingok
    postrotate
        /usr/bin/killall -HUP httpd 2> /dev/null || true
    endscript
}

HTH
Adam


> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

On Wed, 24 Mar 2004, Aaron Wolski wrote:

> > The problem is not the ownership of the file.  The problem is that the
> > process writing to the file has root permissions, which can be taken
> over
> > if you control the file.  So simply changing the ownership won't help.
>
> Alright. I hear what you are saying.
>
> The question is.. how do I NOT make it so that the process writing the
> file has root permissions?

I don't think it can be done.  As I said, I suggest dealing with it by
giving up permissions on the file as part of your log rotation process.

> Do you have a link or reference text I can go to other than what you
> posted earlier?

Sorry, no.  And I'm really not an expert on unix security myself.  But not
allowing non-root users to control a file being written to by root is a
pretty standard unix security restriction, I believe.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Aaron Wolski <aa...@martekbiz.com>.

> The problem is not the ownership of the file.  The problem is that the
> process writing to the file has root permissions, which can be taken
over
> if you control the file.  So simply changing the ownership won't help.

Alright. I hear what you are saying.

The question is.. how do I NOT make it so that the process writing the
file has root permissions?

Do you have a link or reference text I can go to other than what you
posted earlier?

Thanks Josh.

A


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

On Wed, 24 Mar 2004, Aaron Wolski wrote:
> I guess, I have decided to manually assign ownership/group privileges to
> the user-account instead of attempting to do it automatically.

I don't know what that means.

>
> I STILL believe that there MUST be a way when the access_log file is
> created in with the CustomLog directive to have it automatically set the
> ownership/group to that of the user and NOT root.
>
> Am I incorrect in my thought process here?

The problem is not the ownership of the file.  The problem is that the
process writing to the file has root permissions, which can be taken over
if you control the file.  So simply changing the ownership won't help.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Aaron Wolski <aa...@martekbiz.com>.

Hi Josh,

Thanks for your comments/help so far.

I guess, I have decided to manually assign ownership/group privileges to
the user-account instead of attempting to do it automatically.

I STILL believe that there MUST be a way when the access_log file is
created in with the CustomLog directive to have it automatically set the
ownership/group to that of the user and NOT root.

Am I incorrect in my thought process here?

Thanks!


> -----Original Message-----
> From: Joshua Slive [mailto:joshua@slive.ca]
> Sent: March 24, 2004 11:56 AM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] access_logs not writing!
> 
> 
> On Wed, 24 Mar 2004, Aaron Wolski wrote:
> > Is it possible to have these files "automatically" written with the
> > account name as the owner and not root?
> 
> No.  It is possible that you could do so as part of a piped-logging
> script, but I don't know the details.
> 
> My suggestion would be to log all these to a central place owned by
root
> and then symlink this place from the appropriate user directories.  If
you
> need the files themselves to be user-owned, you could do this as part
of
> your log-rotation script.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

On Wed, 24 Mar 2004, Aaron Wolski wrote:
> Is it possible to have these files "automatically" written with the
> account name as the owner and not root?

No.  It is possible that you could do so as part of a piped-logging
script, but I don't know the details.

My suggestion would be to log all these to a central place owned by root
and then symlink this place from the appropriate user directories.  If you
need the files themselves to be user-owned, you could do this as part of
your log-rotation script.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] access_logs not writing!

Posted by Aaron Wolski <aa...@martekbiz.com>.

> [Please turn off the html.]

Sorry about that.

> Also, you do know that writing logs to a directory owned by a non-root
> user is essentially equivalent to giving that user root, right?
> See:
> http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot

Hmm.. that is interesting. To be honest, I did not realize this.

I did a ls -l on the /home/username/logs directory and noticed that
ownership is indeed root.

Ideally, I would like to ensure that the account name is the owner of
all the files in the directory. The account name DOES have ownership of
the directory.

Is it possible to have these files "automatically" written with the
account name as the owner and not root?

Thanks and sorry for a dumb question if it is :/

Aaron


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] access_logs not writing!

Posted by Joshua Slive <jo...@slive.ca>.

[Please turn off the html.]

On Wed, 24 Mar 2004, Aaron Wolski wrote:
> Recently setup a dedicated server for my clients. I have access_log
> being written into the customers home/username/logs directory. This was
> working.
>
> I then setup logrotation to be run everyday, which works but the problem
> is when a rotation occurs. access_log will not write UNLESS apache is
> restarted.
>
> Does ANYONE know ro understand what is causing this problem?

See
http://httpd.apache.org/docs-2.0/logs.html#rotation

You do need to restart apache (gracefully), but this shouldn't be a
problem.

Also, you do know that writing logs to a directory owned by a non-root
user is essentially equivalent to giving that user root, right?
See:
http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org