DevHeads.net

Permissions on nginx logs

Hi folks.

Just wondering if I can change the ownership on the nginx logs folder so I can access them easier for analysis on a regular basis and cronjobs.

/var/log/nginx is owned by nginx:nginx which shuts me out.

Cheers, Bee

Comments

Re: Permissions on nginx logs

By Anthony at 05/07/2019 - 07:50

On 4/5/19 8:03 am, Bee.Lists wrote:
This is how I'd sort it out:

First, I'd create a default ACL (this will allow new files in the
directory to inherit the ACL):
# sudo setfacl -d -m u:<your_user_name>:rwx /var/log/nginx

Next, I'dd apply the ACL to the directory:
# sudo setfacl -m u:<your_user_name>:rwx /var/log/nginx

Finally, I'd ensure that I can access existing files in that directory:
# sudo sh -c "find /var/log/nginx -maxdepth 1 -type f -exec setfacl -m
u:<your_user_name>:r {} \;"

Caveat: I use EXT4 so not sure how this would play with other file systems.

Re: Permissions on nginx logs

By John Pierce at 05/03/2019 - 19:22

Add group nginx to your user... usermod -G nginx,... username
(Where .... Is any other groups you're a member of, not counting your
primary group)

Re: Permissions on nginx logs

By Bee.Lists at 05/03/2019 - 20:15

Just did that, and I still can’t do this:

$ cd /var/log/nginx

-bash: cd: /var/log/nginx: Permission denied

Cheers, Bee

Re: Permissions on nginx logs

By Johnny Hughes v... at 05/06/2019 - 00:06

What's the access mode of it? Should probably be mode 770 then.

Regards,
Simon

Re: Permissions on nginx logs

By Bee.Lists at 05/06/2019 - 12:14

I will give 770 a try. Nobody going to flip now that a single “7” has been posted?

Cheers, Bee

Re: Permissions on nginx logs

By Warren Young at 05/06/2019 - 20:57

On May 6, 2019, at 10:14 AM, Bee.Lists <bee. ... at gmail dot com> wrote:
Try 750 first. You don’t need write access to do what you’re asking.

Also, the group membership change won’t take effect until you log out and back in.

There is a clear analogue to herd immunity here:

<a href="https://en.wikipedia.org/wiki/Herd_immunity" title="https://en.wikipedia.org/wiki/Herd_immunity">https://en.wikipedia.org/wiki/Herd_immunity</a>

When sysadmins of Internet-attached hosts do things to make those hosts less secure, that makes them easier to take over, which means the botnets and stolen databases get bigger, which puts the rest of us on the Internet at greater risk.

So yeah, I think the rest of us do have some say in how you manage your systems’ security. Not total, of course, but you should not dismiss good advice as “flipping.”

In this particular case, the risk is that there is some credential or other sensitive info logged by nginx which is now easier for an attacker to get at. Those logs are hidden away for that reason and more.

How big that risk is only you can say at this point. If you’ve got a purely static web site, for instance, there’s probably nothing important in that log, but if it’s acting as a reverse proxy for a back-end service, nginx might be logging passwords and such.

Re: Permissions on nginx logs

By Johnny Hughes v... at 05/06/2019 - 22:40

Thanks to correct me, both things are true, if he only wants to read logs
there, the 750 is sufficient of course.

Regards,
Simon

Re: Permissions on nginx logs

By Bee.Lists at 05/07/2019 - 09:14

Yeah I was still having some issues so I set a cron to rsync the directory out to another directory that I rsync to another machine to, where I do the analysis.

As per the “7” comment, I always listen to good advice, but usually that advice gets completely derailed with someone saying “nobody should ever be root…”, etc. Best stated, “some people never let their kids play outside”. I have a neighbour like that.

So all is working, but under testing.

Cheers, Bee

Re: Permissions on nginx logs

By Warren Young at 05/07/2019 - 11:32

On May 7, 2019, at 7:14 AM, Bee.Lists <bee. ... at gmail dot com> wrote:
Your CentOS box is nowhere near as well-defended as an unattended human child. The child has millions of years of evolution providing it with an active self-improving immune system, a mammal’s agility, and an apex predator’s cunning.

If you want a human analogue to a CentOS box, it’s closer to a premature baby in a neonatal intensive care unit. It requires constant inputs from the caregivers and strict adherence to basic guidance like “Don’t open all the doors leading outside at once” to keep these cared-for creations alive.