Opened on 05/27/2015 at 04:38:46 PM
Closed on 07/14/2015 at 11:58:29 AM
Last modified on 07/20/2015 at 11:25:06 AM
#2600 closed change (fixed)
Normalize ownership and privileges for Nginx logs
| Reported by: | matze | Assignee: | matze |
|---|---|---|---|
| Priority: | P4 | Milestone: | |
| Module: | Infrastructure | Keywords: | |
| Cc: | fred, fhd | Blocked By: | |
| Blocking: | Platform: | Unknown | |
| Ready: | yes | Confidential: | no |
| Tester: | Unknown | Verified working: | no |
| Review URL(s): | |||
Description
Our current setup causes nginx(8) access logs to appear with various different file permissions and group/owner assignments:
mathias@filter20:~$ ls -la /var/log/nginx total 13644 drwxr-xr-x 2 root root 4096 May 27 14:52 . drwxr-xr-x 11 root root 4096 May 27 14:52 .. -rw-r----- 1 nginx adm 150048 May 27 15:12 access.log -rw-r--r-- 1 root root 10207556 May 27 15:12 access_log_easylist_downloads -rw-r--r-- 1 root root 3570881 May 27 15:12 access_log_notification -rw-r----- 1 nginx adm 19080 May 27 15:12 error.log
There are other combinations as well. Overall I believe found any combination possible with adm, nginx, root, www-data and various different permissions, e.g. -rw-r--r-- or -rw------.
This is obviously due to the fact that we never explicitely configured these attributes. Since logrotate(8), unless configured otherwise, keeps the current set of permissions, the differences are probably due to past attempts for bypassing some intermediate access issues.
To avoid such issues in the future (and to "clean up our closet"), we should start managing these attributes via Puppet and clean up /var/log/nginx during roll-out.
Ideally all logs would belong to user www-data (the one Nginx runs as) and group adm (which is actually meant for read-only access to `/var/log`).
Attachments (0)
Change History (6)
comment:1 Changed on 06/09/2015 at 03:51:52 PM by fred
comment:2 Changed on 06/10/2015 at 04:28:49 AM by matze
Assuming you go with www-data:adm for the file ownership (according to the ticket description), 0640 is perfectly fine.
The directory (/var/log/nginx) should remain in the distribution's default state after installing Nginx through the pacakge manager, which is root:root and 0755.
comment:3 Changed on 07/03/2015 at 12:23:46 PM by fred
- Owner set to fred
- Tester set to Unknown
comment:4 Changed on 07/03/2015 at 12:27:41 PM by fred
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:5 Changed on 07/14/2015 at 11:58:29 AM by fred
- Resolution set to fixed
- Status changed from reviewing to closed
comment:6 Changed on 07/20/2015 at 11:25:06 AM by fred
- Owner changed from fred to matze
What should be the file permissions for all those log files in the directory?
0640? 0644?
Should the directory itself also belong to "www-data.adm"? Or stay at "root.root" as it is in the example?
What should be the permission of the directory itself? Stay at 0755 or also change to something more restrictive like 0750?