Forum

Hiawatha log file ownership

Fred
9 September 2018, 15:50
Hi Hugo,

I have been using Hiawatha for 2 years with no problem and always found your documentation very good.
I currently have a problem that I cannot resolve via the documentation.

So far, I have been using 1 Hiawatha webserver per domain... Therefore I have many VM to maintain.
I have been trying to create a shared hosting server and securing the application using php-fpm pool.
/usr/local/etc/php-fpm.d/fred.conf
[fred]
user = $pool
;group = $pool
group = www

listen = /var/run/$pool.sock

listen.owner = www
listen.group = www
listen.mode = 0660

pm = ondemand
pm.max_children = 20
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.process_idle_timeout = 60s;
pm.max_requests = 200
pm.status_path = /status
request_terminate_timeout = 0

env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/$pool/tmp
env[TMPDIR] = /home/$pool/tmp
env[TEMP] = /home/$pool/tmp

php_admin_value[open_basedir] = /home/$pool/public_html:/home/$pool/tmp:/usr/local/share/pear:/usr/local/lib/php
php_admin_value[disable_functions] = "exec,passthru,shell_exec,system,proc_open,popen,show_source"
php_admin_flag[allow_url_fopen] = On
;security.limit_extensions = .php .shtml
php_admin_value[date.timezone] = Europe/London

php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = 30711
php_admin_value[error_log] = /home/$pool/public_html/logs/php_error.$pool.log
php_admin_value[memory_limit] = 128M
php_value[upload_max_filesize] = 8M
php_value[max_execution_time] = 60
php_admin_value[upload_tmp_dir] = /home/$pool/tmp
php_admin_value[session.save_path] = /home/$pool/tmp
chdir = /


I then tell hiawatha to use fred.soc
/usr/local/etc/hiawatha/siteconf/fred.co.uk.conf
VirtualHost {
Hostname = fred.co.uk
WebsiteRoot = /usr/home/fred/public_html
StartFile = index.php
#UseLocalConfig = yes # Tell Hiawatha to use or ignore .hiawatha files

## Login
AccessLogfile = /usr/home/fred/public_html/logs/access.fred.co.uk.log
ErrorLogfile = /usr/home/fred/public_html/logs/error.fred.co.uk.log

## CGI
TimeForCGI = 60
UseFastCGI = PHP7-FPM-fred

## Header
CustomHeader = X-Frame-Options: sameorigin
CustomHeader = Vary: Accept-Encoding

## Error handling
#ErrorXSLTfile = /usr/local/etc/hiawatha/error.xslt
ErrorHandler = 404:/error.cgi

## Directory
UseDirectory = expire_1month, expire_2month

## Toolkit
UseToolkit = webmail, wordpress

## Security Settings Variables
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$ # If the request body matches the case insensitive regular expression, return a 403 Forbidden

PreventCSRF = detect # Ignore all cookies sent by a browser when following an external link
# Can cause problems for wordpress
# Default = no

PreventSQLi = detect # Prevent SQL-injection by detecting injections and denying the request via a 403, 404 or 441 response.
# NOT 100% guarantee, resource intensive!

PreventXSS = block # Prevent cross-site scripting via the URL by replacing a less-then, greater-then, quote or double-quote in the URL with an underscore.
# Default = no
}

I set the file permission of /usr/home/fred/public_htm directory to
drwxr-xr-x  9 fred  fred       38 Sep  5 14:58 public_html/

I set everything inside b]/usr/home/fred/public_htm[/b] to 750 for directory and 640 for files fred :www
-rw-r-----   1 fred  www      3669 Feb 11  2018 wp-cron.php
drwxr-x--- 18 fred www 188 Feb 11 2018 wp-includes/


My problem is this..
When the user fred connect to the site via FTP using username 'fred', the user cannot open the Hiawatha log file..
because the file permission are
-rw-r-----  1 www  www  10524798 Sep  9 14:36 access.fred.co.uk.log
-rw-r----- 1 www www 289 Sep 9 13:39 error.fred.co.uk.log

in my /usr/local/etc/hiawatha/hiawatha.conf
I have
...
ServerId = www:www
...

My question is this, how can I set the ownership of the hiawatha log file so all the users sharing this web server can all access their own log file?
Can the ServerId property be set per directory? or dynamicly?

Thank you
Hugo Leisink
16 September 2018, 10:23
Hi Fred,

The issue is that Hiawatha needs to be able to write to those file after it has dropped root rights. And after that, it also needs to be able to rotate logfiles. So, the uid of the logfiles has to be the one Hiawatha runs with. What you can do is extend the LOG_PERM setting in src/log.h with S_IROTH.
Allowed BBcodes:
[quote]
[code]
[config]
[url]
[color]
[size]
[img]
[b]
[i]
[u]
[s]
[list]
[ul]
[ol]
[*]