TIP: Resolving AWstats permission denied error by www-data cron job
So if you have installed AWstats, a web-statistic program, on your machine you would have noticed that the cron job that it sets by default does not work. Meaning that the statistics on your AWstats web page does not get updated. If you do a search on Internet, you will find that lot of Ubuntu and Debian folks are facing the same problem. Also there are lot of other suggestions (but dangerous) that are given to make it work, but I have found the following solution to the most (but not completely) safest of all.
Let’s first take a look at the cron job that gets installed by default when you install AWstats in Debian Lenny:
debian:~# cat /etc/cron.d/awstats
0,10,20,30,40,50 * * * * www-data [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=mydomain.org -update>/dev/null
Now if you read the Debian specific README file at:
/usr/share/doc/awstats/README.Debian
it will say giving proper “read” permission to access.log file at /var/log/apache2/. Now even after giving read permission to that file, the “www-data” user is not able to access the apache log files. You can verify this by running the following command:
debian:~# sudo -u www-data /usr/bin/perl /usr/lib/cgi-bin/awstats.pl -update -config=mydomain.org
Output:
Create/Update database for config "/etc/awstats/awstats.mydomain.org.conf" by AWStats version 6.7 (build 1.892)
From data in log file "/var/log/apache2/access.log"...
Error: Couldn't open server log file "/var/log/apache2/access.log" : Permission denied
Setup ('/etc/awstats/awstats.mydomain.org.conf' file web server or permissions) may be wrong.
Check config file permissions and AWStats documentation (in 'docs' directory).
debian:~#
That’s right, even after giving read permission to access.log file, it still cannot read it.
After a lot of researching I finally tried the following command:
# chmod 755 -R /var/log/apache2/*
The above command makes the files “readable” and “executable” for the group “adm” and for “others” user.
Now the cron job, /etc/cron.d/awstats, will execute just fine you should be able to see your server’s statistics at:
http://mydomain.org/awstats/awstats.pl
Also if anyone of you find a better solution than above, please post it in the comment section below.
Happy CRON’ing!
Other Related Posts:
Email Subscription
Loading ...
October 29th, 2009 at 1:26 am
[...] Now after every 10 minutes the cron job will run automatically and you can see your statistics as shown above. If you are having trouble getting the cron job to run, please this post. [...]
November 17th, 2009 at 3:52 pm
aaaah,
man, you got it!!!
thanks very much for the thread!
actually, i found it at
http://www.mail-archive.com/debian-user@lists.debian.org/msg558469.html
it’s really not my first awstats install,
but my first in lenny!
i got also one server running on etch, and
everything’s just fine on it.
as i finally found your thread, read it and
compared my apache2 log folder on lenny and
etch, i found that this folder has the right
permissions in the etch install: 755.
on lenny it’s 754, don’t to hell know why!
i thought i’ll do the install in half an
hour, and now i’m sitting all evening on it,
trying everything, almost desparing.
EXACTLY the same problem!
i wonder if we are the only ones with that,
i googled nothing similar out this evening.
thanks again!
cheers
Juri
Reply to this comment
Admin Reply:
November 17th, 2009 at 7:21 pm
Yes this one was a real pain to figure out! I am glad that this post was helpful to you.
Reply to this comment
November 18th, 2009 at 1:48 am
maybe you could replace
“# chmod 755 -R /var/log/apache2/*”
with
“# chmod 755 /var/log/apache2/”
for security.
it’s just the log directory that needs
“rx” mode,
the log files are fine with “644″ for
the www-data user, specified in the
logrotate job.
Reply to this comment
December 17th, 2009 at 9:57 pm
Running “chmod 755 /var/log/apache2/” worked for me on Karmic Koala. It did not with the *.
Reply to this comment
January 8th, 2010 at 9:38 am
Bubba is right. It only worked once you give the /var/log/apache2 directory itself 755, not just the files within it.
Reply to this comment
December 23rd, 2011 at 3:59 am
[...] Para evitar que de problemas de permisos para leer el fichero de logs tenemos que hacer lo que dicen aquí [...]
December 23rd, 2011 at 10:52 am
[...] Para evitar que de problemas de permisos para leer el fichero de logs tenemos que hacer lo que dicen aquí [...]
January 26th, 2012 at 2:07 am
or you can try to fix the permission for:
/var/cache/awstats
Reply to this comment
February 20th, 2012 at 5:30 am
Don’t forget to update your logrotate configuration file to set permissions to 644 instead of the default 640 or you will be chasing the same issue every day. Of course you can set it to 755 as noted above if you prefer, but I don’t think it is necessary.
Reply to this comment
March 26th, 2012 at 5:32 am
# chmod 755 -R /var/log/apache2/*
- this command make apache logs world-readable via any user, so this is very bad for security reason. Maybe better is to change owner of /var/log/apache2/apache.log to www-data?
Reply to this comment
March 26th, 2012 at 11:18 am
@Anthony, @Murz
are you reading the whole thread? if so, you should have noticed my second post that tells:
—- zip
Juri
November 18th, 2009 at 1:48 am
maybe you could replace
“# chmod 755 -R /var/log/apache2/*”
with
“# chmod 755 /var/log/apache2/”
for security.
it’s just the log directory that needs
“rx” mode,
the log files are fine with “644? for
the www-data user, specified in the
logrotate job.
—-zap
Reply to this comment
April 5th, 2012 at 12:39 pm
@Juri
755 or 644 permissions are same for file read permission via other users. So if we set them, any user of server wil can read main apache logs, this is not so good for security. So better is to change owner of log file to apache user, insead giving world-readable permissions for them.
Reply to this comment
July 5th, 2012 at 7:35 pm
I was having this problem today as well using Virtualmin. I imported the domains from another server, so that could be why it wasn’t configured correctly.
I would NOT recommend setting the log file permissions to 644 or 755. You don’t need “other” to have any permissions at all (especially on a shared host) and you don’t need to execute this file. So the user (first digit) should be a 6, other (last digit) should be a 0, and group permission (middle digit) depends on your set up so that the log files are written to correctly, but should probably be 0 or 6.
Reply to this comment
July 5th, 2012 at 7:39 pm
Forgot to mention this, my actual solution was that Virtualmin changed the log file in the /etc/awstats/awstats.domain.conf file to /var/log/apache2/access.log when it should have been /var/log/virtualmin/domain.com_access_log, so I just needed to re-edit this file and it worked.
Reply to this comment
December 5th, 2012 at 5:33 am
Giving 644, 755 for logs is a big security risk as mentioned before…
The best solution for this issue is set www-data to belong group adm:
usermod -G adm www-data
so Apache belongs to adm and can read their own log files.
Reply to this comment
April 4th, 2013 at 9:36 am
a solution maybe :
chmod 755 /var/log/apache2
chown www-data /var/log/apache2/*.log
and in your /etc/logrotate.d/apache2
change the line
create 640 root adm
to
create 640 www-data adm
this way apache can still write in log file
but nobody else than www-data can read in it .
IMHO it’s better than put www-data in adm group and so give it admin privileges (dangerous for system)
Reply to this comment