I want to read the apache2 error log file from PHP (it is currently owned by the www-data user)
Is it safe to change the owner of this file, or to give it less restrictive permissions ?
Add a comment |
1 Answer
The reason the default configuration is to restrict access to the error log is that it can contain sensitive information regarding either your configuration, or records of warnings/errors that contain usernames, passwords, database connection strings etc.
Allowing the webserver itself (read-only) access to that error log increases the risk for unauthorized access to such information.
But only you can do a risk analysis and judge if the benefits outweigh the risks.
- I know it's raise up security issue. If I do change permission, what is going to happen with the log rotate ?user2804112– user28041122014-09-04 13:59:26 +00:00Commented Sep 4, 2014 at 13:59
- Unless you take specific measures, the log files get re-created after rotating them by reloading the apache server. That results in them getting default permissions. A
create 0123 username groupnamewill create the new log files with specific permissions and owner before running the post rotate script, allowing you to override apache defaults.HBruijn– HBruijn2014-09-04 14:24:53 +00:00Commented Sep 4, 2014 at 14:24