Opened on 05/27/2015 at 04:38:46 PM

Closed on 07/14/2015 at 11:58:29 AM

Last modified on 07/20/2015 at 11:25:06 AM

#2600 closed change (fixed)

Normalize ownership and privileges for Nginx logs

Reported by: matze Assignee: matze
Priority: P4 Milestone:
Module: Infrastructure Keywords:
Cc: fred, fhd Blocked By:
Blocking: Platform: Unknown
Ready: yes Confidential: no
Tester: Unknown Verified working: no
Review URL(s):


Our current setup causes nginx(8) access logs to appear with various different file permissions and group/owner assignments:

mathias@filter20:~$ ls -la /var/log/nginx
total 13644
drwxr-xr-x  2 root  root     4096 May 27 14:52 .
drwxr-xr-x 11 root  root     4096 May 27 14:52 ..
-rw-r-----  1 nginx adm    150048 May 27 15:12 access.log
-rw-r--r--  1 root  root 10207556 May 27 15:12 access_log_easylist_downloads
-rw-r--r--  1 root  root  3570881 May 27 15:12 access_log_notification
-rw-r-----  1 nginx adm     19080 May 27 15:12 error.log

There are other combinations as well. Overall I believe found any combination possible with adm, nginx, root, www-data and various different permissions, e.g. -rw-r--r-- or -rw------.

This is obviously due to the fact that we never explicitely configured these attributes. Since logrotate(8), unless configured otherwise, keeps the current set of permissions, the differences are probably due to past attempts for bypassing some intermediate access issues.

To avoid such issues in the future (and to "clean up our closet"), we should start managing these attributes via Puppet and clean up /var/log/nginx during roll-out.

Ideally all logs would belong to user www-data (the one Nginx runs as) and group adm (which is actually meant for read-only access to `/var/log`).

Attachments (0)

Change History (6)

comment:1 Changed on 06/09/2015 at 03:51:52 PM by fred

What should be the file permissions for all those log files in the directory?
0640? 0644?

Should the directory itself also belong to "www-data.adm"? Or stay at "root.root" as it is in the example?

What should be the permission of the directory itself? Stay at 0755 or also change to something more restrictive like 0750?

comment:2 Changed on 06/10/2015 at 04:28:49 AM by matze

Assuming you go with www-data:adm for the file ownership (according to the ticket description), 0640 is perfectly fine.

The directory (/var/log/nginx) should remain in the distribution's default state after installing Nginx through the pacakge manager, which is root:root and 0755.

comment:3 Changed on 07/03/2015 at 12:23:46 PM by fred

  • Owner set to fred
  • Tester set to Unknown

comment:4 Changed on 07/03/2015 at 12:27:41 PM by fred

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:5 Changed on 07/14/2015 at 11:58:29 AM by fred

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:6 Changed on 07/20/2015 at 11:25:06 AM by fred

  • Owner changed from fred to matze

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from matze.
Note: See TracTickets for help on using tickets.