The issue lies in the permissions and ownership settings of the /var/log/virtualmin
directory and its files. The sticky bit (T
) and current ownership configuration are restricting non-root users from accessing the log files, even though Apache can still write to them.
Here’s a step-by-step guide to resolve this:
1. Understanding the Current Permission Problem
- The directory
/var/log/virtualmin
has a sticky bit (T
) set. This means that only the owner or root can delete or rename files within the directory, which is fine in certain use cases but may cause issues when combined with restrictive ownership and group settings.
- The files under the directory are owned by
mydomain
and apache
, which limits access for other users.
2. Suggested Permission and Ownership Fix
To allow non-root users to read the files, you’ll need to adjust both the permissions and ownership. Follow these steps:
Step 1: Adjust Directory Permissions
Grant read and execute permissions to the directory for all users (so they can traverse the directory).
sudo chmod 755 /var/log/virtualmin
Explanation:
7
(owner): Full access (read, write, execute).
5
(group and others): Read and execute only.
Step 2: Adjust File Permissions
Grant read permissions to all users for the log files.
sudo chmod 644 /var/log/virtualmin/*
Explanation:
6
(owner): Read and write.
4
(group and others): Read only.
Step 3: Change Group Ownership
If you want a specific group (e.g., logusers
) to have access to the logs without affecting general users:
- Create a group (if not already created):
sudo groupadd logusers
- Add users who need access to this group:
sudo usermod -aG logusers username
- Change the group ownership of the directory and files:
sudo chown -R root:logusers /var/log/virtualmin
- Set permissions to allow the group to read the files:
sudo chmod -R 750 /var/log/virtualmin
Step 4: Remove the Sticky Bit
The sticky bit (T
) is not needed here and might be causing issues. Remove it:
sudo chmod -t /var/log/virtualmin
sudo chmod -t /var/log/virtualmin/*
3. Automate Permission Settings for New Files
To ensure that newly created log files also inherit the correct group and permissions:
- Set a Default Group: Make the group ownership of the directory sticky so that all files inherit the group:
sudo chmod g+s /var/log/virtualmin
- Set Default Permissions with
umask
: Configure the log creation process to set permissions automatically:
- Edit the Apache environment configuration:
sudo nano /etc/apache2/envvars
- Add or modify the following line to set a
umask
value for log files:
umask 027
This ensures new files are created with 750
permissions (read and execute for the group, no access for others).
3. Restart Apache:
sudo systemctl restart apache2
4. Verify Access
After completing the steps:
- Check directory and file permissions:
ls -ld /var/log/virtualmin
ls -l /var/log/virtualmin/
- Test file access as a regular user added to the
logusers
group:
su - username
cat /var/log/virtualmin/mydomain.com_access_log
5. If Access Is Still Denied
- Check for SELinux or AppArmor restrictions:
sudo sestatus # For SELinux
sudo aa-status # For AppArmor
If enabled, create rules or disable these systems temporarily to debug.
By following these steps, users should now have read access to the log files in /var/log/virtualmin
without compromising security. Let me know if further clarification is needed!