apacheredhathttpd.confcentos8rocky-os

Permission denied to /var/log/httpd (Apache Logs) owned by root even though ACL is set for user and SELinux is disabled

I have a user (process) called vector which cannot access Apache logs in /var/log/httpd. Trying to cat /var/log/httpd/myapp.co.uk/logfile.log results in permission denied.

The vector user is able to cd to /var/log/ but not to httpd/.

[vector@Server01 root]$ cd /var/
[vector@Server01 var]$ cd /var/log/
[vector@Server01 log]$ cd /var/log/httpd/
bash: cd: /var/log/httpd/: Permission denied

Apache version is Server version: Apache/2.4.37 (rocky) . Linux distro is Rocky 8 (CentOS/Redhat)

The permissions are:

[root@Server01~]# getfacl /var/
# file: var/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@Server01~]# getfacl  /var/log/
# file: var/log/
# owner: root
# group: root
user::rwx
user:vector:r--
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:vector:r--
default:group::r-x
default:mask::r-x
default:other::r-x

[root@Server01~]# getfacl  /var/log/httpd/
# file: var/log/httpd/
# owner: root
# group: root
user::rwx
user:vector:r--
group::---
mask::r--
other::---
default:user::rwx
default:user:vector:r--
default:group::---
default:mask::r--
default:other::---

[root@Server01~]# getfacl  /var/log/httpd/myapp.co.uk/
# file: var/log/httpd/myapp.co.uk/
# owner: root
# group: root
user::rwx
user:vector:r--
group::r-x
mask::r-x
other::r-x

SELinux is also disabled for now.

[root@Server01 ~]# getenforce
Disabled

Any ideas?

Solution

  • The user doesn't have the rights to ENTER into the directory. This is the "x" flag in permissions, so should be

    user:vector:r-x

    for the /var/log/httpd/ dir

    Depending on the protection level you want, should be better to have a 711 (root:root) on the httpd dir or eventually a 755 (root:root) based on the apache user or, again, if the log should belong to the specific user under the vhost of apache, a 711 on the subfolder /var/log/httpd/myapp.co.uk/ with the correct user:group

    Basically, if the user should access the directory (cd into) must have the correspondig x. Without the x permission (owner or owner group or others) no access (cd) to the directory is granted. The "r" permission, in directory perspective, is "view the directory's contents"