TIP: Resolving AWstats permission denied error by www-data cron job
So if you have installed AWstats, a web-statistic program, on your machine you would have noticed that the cron job that it sets by default does not work. Meaning that the statistics on your AWstats web page does not get updated. If you do a search on Internet, you will find that lot of Ubuntu and Debian folks are facing the same problem. Also there are lot of other suggestions (but dangerous) that are given to make it work, but I have found the following solution to the most (but not completely) safest of all.
Let’s first take a look at the cron job that gets installed by default when you install AWstats in Debian Lenny:
debian:~# cat /etc/cron.d/awstats
0,10,20,30,40,50 * * * * www-data [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=mydomain.org -update>/dev/null
Now if you read the Debian specific README file at:
/usr/share/doc/awstats/README.Debian
it will say giving proper “read” permission to access.log file at /var/log/apache2/. Now even after giving read permission to that file, the “www-data” user is not able to access the apache log files. You can verify this by running the following command:
debian:~# sudo -u www-data /usr/bin/perl /usr/lib/cgi-bin/awstats.pl -update -config=mydomain.org
Output:
Create/Update database for config "/etc/awstats/awstats.mydomain.org.conf" by AWStats version 6.7 (build 1.892)
From data in log file "/var/log/apache2/access.log"...
Error: Couldn't open server log file "/var/log/apache2/access.log" : Permission denied
Setup ('/etc/awstats/awstats.mydomain.org.conf' file web server or permissions) may be wrong.
Check config file permissions and AWStats documentation (in 'docs' directory).
debian:~#
That’s right, even after giving read permission to access.log file, it still cannot read it.
After a lot of researching I finally tried the following command:
# chmod 755 -R /var/log/apache2/*
The above command makes the files “readable” and “executable” for the group “adm” and for “others” user.
Now the cron job, /etc/cron.d/awstats, will execute just fine you should be able to see your server’s statistics at:
http://mydomain.org/awstats/awstats.pl
Also if anyone of you find a better solution than above, please post it in the comment section below.
Happy CRON’ing!
Email Subscription
Loading ...
October 29th, 2009 at 1:26 am
[...] Now after every 10 minutes the cron job will run automatically and you can see your statistics as shown above. If you are having trouble getting the cron job to run, please this post. [...]
November 17th, 2009 at 3:52 pm
aaaah,
man, you got it!!!
thanks very much for the thread!
actually, i found it at
http://www.mail-archive.com/debian-user@lists.debian.org/msg558469.html
it’s really not my first awstats install,
but my first in lenny!
i got also one server running on etch, and
everything’s just fine on it.
as i finally found your thread, read it and
compared my apache2 log folder on lenny and
etch, i found that this folder has the right
permissions in the etch install: 755.
on lenny it’s 754, don’t to hell know why!
i thought i’ll do the install in half an
hour, and now i’m sitting all evening on it,
trying everything, almost desparing.
EXACTLY the same problem!
i wonder if we are the only ones with that,
i googled nothing similar out this evening.
thanks again!
cheers
Juri
Reply to this comment
Admin Reply:
November 17th, 2009 at 7:21 pm
Yes this one was a real pain to figure out! I am glad that this post was helpful to you.
Reply to this comment
November 18th, 2009 at 1:48 am
maybe you could replace
“# chmod 755 -R /var/log/apache2/*”
with
“# chmod 755 /var/log/apache2/”
for security.
it’s just the log directory that needs
“rx” mode,
the log files are fine with “644″ for
the www-data user, specified in the
logrotate job.
Reply to this comment
December 17th, 2009 at 9:57 pm
Running “chmod 755 /var/log/apache2/” worked for me on Karmic Koala. It did not with the *.
Reply to this comment
January 8th, 2010 at 9:38 am
Bubba is right. It only worked once you give the /var/log/apache2 directory itself 755, not just the files within it.
Reply to this comment
December 23rd, 2011 at 3:59 am
[...] Para evitar que de problemas de permisos para leer el fichero de logs tenemos que hacer lo que dicen aquí [...]
December 23rd, 2011 at 10:52 am
[...] Para evitar que de problemas de permisos para leer el fichero de logs tenemos que hacer lo que dicen aquí [...]
January 26th, 2012 at 2:07 am
or you can try to fix the permission for:
/var/cache/awstats
Reply to this comment
February 20th, 2012 at 5:30 am
Don’t forget to update your logrotate configuration file to set permissions to 644 instead of the default 640 or you will be chasing the same issue every day. Of course you can set it to 755 as noted above if you prefer, but I don’t think it is necessary.
Reply to this comment
March 26th, 2012 at 5:32 am
# chmod 755 -R /var/log/apache2/*
- this command make apache logs world-readable via any user, so this is very bad for security reason. Maybe better is to change owner of /var/log/apache2/apache.log to www-data?
Reply to this comment
March 26th, 2012 at 11:18 am
@Anthony, @Murz
are you reading the whole thread? if so, you should have noticed my second post that tells:
—- zip
Juri
November 18th, 2009 at 1:48 am
maybe you could replace
“# chmod 755 -R /var/log/apache2/*”
with
“# chmod 755 /var/log/apache2/”
for security.
it’s just the log directory that needs
“rx” mode,
the log files are fine with “644? for
the www-data user, specified in the
logrotate job.
—-zap
Reply to this comment
April 5th, 2012 at 12:39 pm
@Juri
755 or 644 permissions are same for file read permission via other users. So if we set them, any user of server wil can read main apache logs, this is not so good for security. So better is to change owner of log file to apache user, insead giving world-readable permissions for them.
Reply to this comment