Issue
I have a user (process) called vector which cannot access Apache logs in /var/log/httpd. Trying to cat /var/log/httpd/myapp.co.uk/logfile.log results in permission denied.
The vector user is able to cd to /var/log/ but not to httpd/.
[vector@Server01 root]$ cd /var/
[vector@Server01 var]$ cd /var/log/
[vector@Server01 log]$ cd /var/log/httpd/
bash: cd: /var/log/httpd/: Permission denied
Apache version is Server version: Apache/2.4.37 (rocky) . Linux distro is Rocky 8 (CentOS/Redhat)
The permissions are:
[root@Server01~]# getfacl /var/
# file: var/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@Server01~]# getfacl /var/log/
# file: var/log/
# owner: root
# group: root
user::rwx
user:vector:r--
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:vector:r--
default:group::r-x
default:mask::r-x
default:other::r-x
[root@Server01~]# getfacl /var/log/httpd/
# file: var/log/httpd/
# owner: root
# group: root
user::rwx
user:vector:r--
group::---
mask::r--
other::---
default:user::rwx
default:user:vector:r--
default:group::---
default:mask::r--
default:other::---
[root@Server01~]# getfacl /var/log/httpd/myapp.co.uk/
# file: var/log/httpd/myapp.co.uk/
# owner: root
# group: root
user::rwx
user:vector:r--
group::r-x
mask::r-x
other::r-x
SELinux is also disabled for now.
[root@Server01 ~]# getenforce
Disabled
Any ideas?
Solution
The user doesn't have the rights to ENTER into the directory. This is the "x" flag in permissions, so should be
user:vector:r-x
for the /var/log/httpd/ dir
Depending on the protection level you want, should be better to have a 711 (root:root) on the httpd dir or eventually a 755 (root:root) based on the apache user or, again, if the log should belong to the specific user under the vhost of apache, a 711 on the subfolder /var/log/httpd/myapp.co.uk/ with the correct user:group
Basically, if the user should access the directory (cd into) must have the correspondig x. Without the x permission (owner or owner group or others) no access (cd) to the directory is granted. The "r" permission, in directory perspective, is "view the directory's contents"
Answered By - Daniele Continenza Answer Checked By - Senaida (WPSolving Volunteer)