I have a simple LAMP stack on CentOS setup. Apache is setup with vhosts and each developer has their web files inside their user folder. The directory structure is like so (for the user test):
/home/test
|_ apache
|_ domain1.com
|_ backups
|_ conf
|_ vhost.conf
|_ logs
|_ errors.log
|_ images.log
|_ web.log
|_ private
|_ public
The vhost config is in the vhost.conf file. The log files in logs don't exist when the config is first setup, and this throws an error with apache when I run service httpd restart:
(13)Permission denied: httpd: could not open error log file /home/test/apache/domain1.com/logs/error.log.
Unable to open logs
I tried running httpd -X as root and it created the log files (with root ownership/group). I thought it would be a case of making sure that the files are there, with group set as apache and writeable (so I don't have to make the whole directory belong to apache group and writeable), but this confuses me:
[root@dev logs]# ls -al
total 16
drwxr-xr-x. 2 test developers 4096 Apr 18 21:02 .
drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
-rw-r--r--. 1 test developers 1818 Apr 18 21:02 error.log
-rw-r--r--. 1 test developers 14 Apr 18 20:25 .gitignore
-rw-r--r--. 1 test developers 0 Apr 18 20:54 image.log
[root@dev logs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
[root@dev logs]# touch web.log
[root@dev logs]# chown test:developers web.log
[root@dev logs]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
I'm confused because apache runs as user apache and shouldn't have write access on the logs, should it? In fact, I can even do this:
[root@dev logs]# rm -f ./*.log
[root@dev logs]# touch {error.log,image.log,web.log}
[root@dev logs]# ls -al
total 12
drwxr-xr-x. 2 test developers 4096 Apr 18 21:10 .
drwxr-xr-x. 8 test developers 4096 Apr 18 20:25 ..
-rw-r--r--. 1 root root 0 Apr 18 21:10 error.log
-rw-r--r--. 1 test developers 14 Apr 18 20:25 .gitignore
-rw-r--r--. 1 root root 0 Apr 18 21:10 image.log
-rw-r--r--. 1 root root 0 Apr 18 21:10 web.log
[root@dev logs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
I now have log files owned by root and it still starts up – and it writes to them too – if I tail web.log and browse to that page the logs start showing up.
I'm obviously not quite grasping something here, so what am I missing? I would prefer not to have to create the log files manually and allow apache to do that itself, but regardless, I'd just like to understand why this is happening – especially when I get round to allowing PHP to mess with files.
Update
As requested, here is what I see in audit.log when I try start apache when the logfiles don't exist:
type=AVC msg=audit(1397906748.752:49390): avc: denied { write } for pid=19433 comm="httpd" name="logs" dev=md2 ino=7210204 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1397906748.752:49390): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bb740e598 a1=80441 a2=1b6 a3=752e6f632e74756f items=0 ppid=19432 pid=19433 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=128 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
When running with the logs existing nothing else is added to the log. The Permission denied: httpd: could not ... error was from the general log.
Best Answer
You are creating single files using touch and then you change the file owner via chown. For Apache to create it's logfiles itself writing permissions to the containing directory are needed. Use
chown -R(capital R = recursive) on the designated log directory.