By default the Nginx source does not define SCRIPT_FILENAME in the fastcgi_params file, so unless the repo you installed Nginx from does that you need to do it yourself.
Check if the following line is in your fastcgi_params file:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
and if not then add it.
If you provide read permission for the user to the logs directory, this does not ensure that the user has read permission (or any other permission) to the files inside it. You need to provide read permission for this user to each log file separately.
Most probably, this is the reason you need to add the reader to the specified groups, it is because those groups have group permission to the log files in question. You can ensure that by running
ls -l
in the logs folder and check in which group each file belongs to.
In your scenario, the most correct way to achieve what you ask is by setting ACLs, which is the strongest unix tool for the job.
Have a look at "ACL: Using Access Control Lists on Linux", it is a big blog post but it describes all the steps perfectly and simply enough to get the feeling.
If you need a more quick-n-dirty solution (which I DO NOT recommend, unless you are not in a production environment), you can just take your user out of every group, and then set the 'Others' permission set to r--, (or xx4 for your chmod octal representation).
EDIT: I ignored the fact that you're trying to do this this on a chrooted environment. In this case, symlinks will not work with ftp (or sftp for that matter) due to the nature of symlinks themselves. A nice explanation lies here, although it seems that I tend to link only big articles.
Nevertheless, you can somewhat achieve the same behavior using mount --bind
, which will make the log directory available inside the home dir of the logger user:
mount --bind /var/log /home/logger/logs/
And this will provide you with a logs
directory containing everything found inside /var/log
. From that point, you can allow the logger
group read access only to the specific logs you want and nothing else, so that he won't be able to read e.g. /var/log/auth.log
etc. Don't forget to add access to the respective parent folders, because otherwise your user will only be able to access the logs by typing in the full path, which can be sometimes frustrating.
Best Answer
If SELinux is in Enforcing mode, it won't let you do that... Try changing this boolean to true:
Please note, I don't recommend disabling SELinux!
There are many tools out there which can help you use SELinux to secure your system.
Please see the CentOS documentation here: http://wiki.centos.org/HowTos/SELinux
Also, check out my favorite video on the topic: SELinux For Mere Mortals