From: Jamie C. <jca...@we...> - 2005-04-22 22:48:55
|
On 23/Apr/2005 05:04 Stephen Le wrote .. > On 4/22/05, john m <jo...@ra...> wrote: > > I have the logs set so that not only the directory they reside in, but > > the logs themselves are owned by root. > > With permissions of 644, then they can read em but not delete. > > I then have logrotation set to email them the logs at the end of the > > week and to just keep the last 5 logs in their directory. > > > > That way they can't delete them and so can't crash apache > > As long as a user owns the parent directory, a file or directory can > still be deleted. Try using 'rm -rf' > > One solution to this problem is to have the logs go into a root-owned > directory outside of the user's filesystem -- /var/log/apache/virtual > or something similar. Each Virtual Server would get its own log > directory under that path. To provide access to the logs, a symbolic > link to the appropriate directory could then be made in a user's home > directory. If a user decided to delete their log directory, only the > symbolic link would be deleted -- the directory that Apache logs to > would still remain and there would be no problems. > > Furthermore, this has an added security benefit: such a setup would > prevent users from deleting their logs to hide signs of suspicious > activity. > > Jamie, do you think you could make this an option with Virtualmin? You can set this up already in the latest Virtualmin - on the Server Templates page, in the section for Apache directives, you can edit the path in the CustomLog lin and change it to something like /var/log/httpd/${DOM}.log . - Jamie |