Permissions set to 644 but users can't read it :-(

I use virtualmin on my system. One of my colleagues screwed up permissions on the Apache log files. Files are stored under /var/log/virtualmin

Apache is able to write to the log files well.

Users get permission denied while trying to access any log file in there.

I set the above directory, recursive, sticky to 1644. Apache is still able to write to it, but users can’t read it. See below for an example of the listing:

under /var/log:

drw-r--r-T+  2 root   root       16384 May 11 00:49 virtualmin

one file under /var/log/virtualmin

-rw-r--r-T 1 mydomain          apache    1627831 May 11 01:00 mydomain.com_access_log

Am really going nuts with this. Any help will be appreciated.

Thanks a ton!

The issue lies in the permissions and ownership settings of the /var/log/virtualmin directory and its files. The sticky bit (T) and current ownership configuration are restricting non-root users from accessing the log files, even though Apache can still write to them.

Here’s a step-by-step guide to resolve this:

1. Understanding the Current Permission Problem

  • The directory /var/log/virtualmin has a sticky bit (T) set. This means that only the owner or root can delete or rename files within the directory, which is fine in certain use cases but may cause issues when combined with restrictive ownership and group settings.
  • The files under the directory are owned by mydomain and apache, which limits access for other users.

2. Suggested Permission and Ownership Fix

To allow non-root users to read the files, you’ll need to adjust both the permissions and ownership. Follow these steps:

Step 1: Adjust Directory Permissions

Grant read and execute permissions to the directory for all users (so they can traverse the directory).

sudo chmod 755 /var/log/virtualmin

Explanation:

  • 7 (owner): Full access (read, write, execute).
  • 5 (group and others): Read and execute only.

Step 2: Adjust File Permissions

Grant read permissions to all users for the log files.

sudo chmod 644 /var/log/virtualmin/*

Explanation:

  • 6 (owner): Read and write.
  • 4 (group and others): Read only.

Step 3: Change Group Ownership

If you want a specific group (e.g., logusers) to have access to the logs without affecting general users:

  1. Create a group (if not already created):
sudo groupadd logusers
  1. Add users who need access to this group:
sudo usermod -aG logusers username
  1. Change the group ownership of the directory and files:
sudo chown -R root:logusers /var/log/virtualmin
  1. Set permissions to allow the group to read the files:
sudo chmod -R 750 /var/log/virtualmin

Step 4: Remove the Sticky Bit

The sticky bit (T) is not needed here and might be causing issues. Remove it:

sudo chmod -t /var/log/virtualmin
sudo chmod -t /var/log/virtualmin/*

3. Automate Permission Settings for New Files

To ensure that newly created log files also inherit the correct group and permissions:

  1. Set a Default Group: Make the group ownership of the directory sticky so that all files inherit the group:
sudo chmod g+s /var/log/virtualmin
  1. Set Default Permissions with umask: Configure the log creation process to set permissions automatically:
  • Edit the Apache environment configuration:
sudo nano /etc/apache2/envvars
  • Add or modify the following line to set a umask value for log files:
umask 027

This ensures new files are created with 750 permissions (read and execute for the group, no access for others).
3. Restart Apache:

sudo systemctl restart apache2

4. Verify Access

After completing the steps:

  1. Check directory and file permissions:
ls -ld /var/log/virtualmin
ls -l /var/log/virtualmin/
  1. Test file access as a regular user added to the logusers group:
su - username
cat /var/log/virtualmin/mydomain.com_access_log

5. If Access Is Still Denied

  • Check for SELinux or AppArmor restrictions:
sudo sestatus  # For SELinux
sudo aa-status # For AppArmor

If enabled, create rules or disable these systems temporarily to debug.

By following these steps, users should now have read access to the log files in /var/log/virtualmin without compromising security. Let me know if further clarification is needed!