[Systems] Fwd: [Systems-logs] Cron <www-data at sunjammer> [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

[Bernie Innocenti]

On 02/24/2016 11:20 AM, Samuel Cantero wrote:
> Hi all,
> 
> I have received a bunch of this email. The user www-data is executing
> the awstats update script and it doesn't have permission to read the
> /var/log/apache2/codewiz.org/codewiz.org-access.log
> <http://codewiz.org/codewiz.org-access.log> apache log file. The same
> for /var/log/apache2/access.log. The permission is set to:
> 
> -rw-r----- 1 root adm       9,2M Feb 24 14:05 codewiz.org-access.log
> -rw-r----- 1 root adm 9,8M Feb 24 14:13 access.log
> 
> However, all the old log files have the following permission:
> 
> -rw-rw---- 1 root www-data  429K Jan  4  2015
> codewiz.org-access.log-20150104.xz
> 
> I guess logrotate (/etc/logrotate.d/apache2) is in charge of setting
> this permission. So I checked it and I found the following directive:
> create 640 root adm. I can find the same pattern in the other log files.
> I guess we should change it to: create 660 root www-data.
> 
> If you are ok with me, I will proceed to change it and fix manually the
> permissions for the current log files.

I was also surprised to see the change from www-data to adm. How does
Apache even write into files owned by root:adm if it's in the www-data
group?

I guess something changed in how Ubuntu or Debian handles apache logs.
These bugs seem relevant:

 https://bugs.launchpad.net/ubuntu/+source/awstats/+bug/1252467
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745620

Not sure what the best fix is, feel free to experiment.

-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org