I need to enable some access to the httpd logs over ftp so they can be analyzed by another application to get a report. I used to do this on Windows NT before replacing the server with CentOS. Thanks to help from another thread I have an ftp server enabled on the web server. I thought the easiest thing to do would be to create an id for the application to connect with, then provide a symlink to the logs in that generic user's home directory. The problem is the logs are owned by root. How can I make them readable by this generic id without completely compromising security? Plus, as the logs rotate this id will still need access. Any suggestions? Thanks, James
On Thu, Dec 01, 2005 at 01:07:20PM -0500, James Pifer enlightened us:> I need to enable some access to the httpd logs over ftp so they can be > analyzed by another application to get a report. I used to do this on > Windows NT before replacing the server with CentOS. > > Thanks to help from another thread I have an ftp server enabled on the > web server. I thought the easiest thing to do would be to create an id > for the application to connect with, then provide a symlink to the logs > in that generic user's home directory. > > The problem is the logs are owned by root. How can I make them readable > by this generic id without completely compromising security? Plus, as > the logs rotate this id will still need access. > > Any suggestions? >Have a cron job running as root that copies the necessary files someplace that your special id can get to, and chown them to the special id. Serve this location via ftp. -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263
James Pifer wrote on Thu, 01 Dec 2005 13:07:20 -0500:> The problem is the logs are owned by root. How can I make them readable > by this generic id without completely compromising security?You can either change owner or make it readable to more than just root. I don't see this as a security problem. Plus, as> the logs rotate this id will still need access.This can be accomodated with logrotate configuration if that is also rotating your user's file which I don't know. Look in /etc/logrotate.d for the apache file. You can change owner, chmod etc. in that file. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
James Pifer <jep at obrien-pifer.com> wrote:> I need to enable some access to the httpd logs over ftp so > they can be analyzed by another application to get areport.> I used to do this on Windows NT before replacing the server > with CentOS. > Thanks to help from another thread I have an ftp server > enabled on the web server. I thought the easiest thing to > do would be to create an id for the application to connect > with, then provide a symlink to the logs in that generic > user's home directory. > The problem is the logs are owned by root. How can I make > them readable by this generic id without completely > compromising security? Plus, as the logs rotate this idwill> still need access. > Any suggestions?I know you just setup FTP, but consider using SSH instead. First off, access to the logs are solved by always running the process as root at the end system. There is no reduced security by doing this. Secondly, setup 1 regular user on 1 system where you want the logs to be localized for processing. Then have the root user of each system SCP the log file to that 1 system as the 1 regular user. You'll want to use public key authentication (or a Kerberos realm if you want to avoid generating and/or copying keys for each system). If you're into a more formal setup, CVS or other version control or data collection repository check-ins of the log files might be ideal. For CVS (and several others), you can use the SSH login. -- Bryan J. Smith | Sent from Yahoo Mail mailto:b.j.smith at ieee.org | (please excuse any http://thebs413.blogspot.com/ | missing headers)
James Pifer <jep at obrien-pifer.com> wrote:> I need to enable some access to the httpd logs over ftp so > they can be analyzed by another application to get areport.> I used to do this on Windows NT before replacing the server > with CentOS. > Thanks to help from another thread I have an ftp server > enabled on the web server. I thought the easiest thing to > do would be to create an id for the application to connect > with, then provide a symlink to the logs in that generic > user's home directory. > The problem is the logs are owned by root. How can I make > them readable by this generic id without completely > compromising security? Plus, as the logs rotate this idwill> still need access. > Any suggestions?I know you just setup FTP, but consider using SSH instead. First off, access to the logs are solved by always running the process as root at the end system. There is no reduced security by doing this. Secondly, setup 1 regular user on 1 system where you want the logs to be localized for processing. Then have the root user of each system SCP the log file to that 1 system as the 1 regular user. You'll want to use public key authentication (or a Kerberos realm if you want to avoid generating and/or copying keys for each system). If you're into a more formal setup, CVS or other version control or data collection repository check-ins of the log files might be ideal. For CVS (and several others), you can use the SSH login. -- Bryan J. Smith | Sent from Yahoo Mail mailto:b.j.smith at ieee.org | (please excuse any http://thebs413.blogspot.com/ | missing headers)