Give user SSH access to log files

[ditto]

I have a user that need SSH access to his log files. At the moment he can only read them in the control panel with his browser.

This is the log file I want him to access in SSH:
/var/log/httpd/domains/DOMAINNAME.TLD.log

But it don't work:

tail -f /var/log/httpd/domains/DOMAINNAME.TLD.log
tail: cannot open `/var/log/httpd/domains/DOMAINNAME.TLD.log' for
reading: Permission denied

Should I create a symbolic link for this? How would you solve this?

 

[ranz]

I wouldn't be doing this ...

I'd be runing a bash script and copying the log files into their /home/<user>/ folder that they have FTP access to.

 

[ditto]

Thanks. But the user want to view the log file live using SSH. So the question is if it is possible to do without compromise the security?

 

[daveyw]

How would you solve this?

Simple: NOT. We never give our customers SSH access.

They can view their apache access_log and error_log trough directadmin controlpanel.
I remember something like Site statistics ..... rightside at the top under User Level.

 

[ditto]

I always give them access to SSH, and don't see any problem with that. That is not what this thread is meant to discuss. I was hoping somebody new what I should do to give them read access in SSH to their log files without compromising the security?

 

[daveyw]

I always give them access to SSH, and don't see any problem with that. That is not what this thread is meant to discuss. I was hoping somebody new what I should do to give them read access in SSH to their log files without compromising the security?

Did you read my last 2 lines, maybe this is a solution without SSH needed.

The problem he can't read the file because its owned by other user then himself. I would not change anything for because 1 user that needs to read a log.

You can if you really really want: bash script that daily copies the log to /home/|USERNAME|/apache-logs/ or something.

 

[ditto]

Did you read my last 2 lines, maybe this is a solution without SSH needed.

Yes I read your last two lines. But this user don't want to read the log files in the panel, he don't want to use his browser for this. Hi want to read them live using SSH. So it can't just be a daily copy in his home dir ...

 

[nobaloney]

A symbolic link isn't going to help. I don't know if a regular link will work or not; you can try it; if the file and the user's home directory are on the same partition.

If not, then you may be able to give make the log file group ownership the user's name, but I still don't know if that's going to work becaue of the path.

Otherwise I don't think you can give the user shell access without giving him root acess. Which I would never do. If he needs it or he'll leave, then sell him a VPS. My opinion.

Jeff

 

[ranz]

my question is how "live" does he want it?

You could write a "watch" script that watches the log file and "cat" that information to a file within his <home> folder - which he does have ssh access to.

A watch or tail script could be literally a few seconds off actual.

this is a crude but workable quick hack I thought of:

create a file called watchlog.sh and use VI to edit:

#!/bin/sh
touch /home/<user>/folderforlog/watchlog.log
chown <user> /home/<user>folderforlog/watchlog.log
chgrp <user> /home/<user>folderforlog/watchlog.log
tail -f /var/log/httpd/domains/DOMAINNAME.TLD.log > /home/<user>/folderforlog/watchlog.log &

--> you'll need to chmod 755 this file

then you could run it via cron

then all the user has to do is run:

tail -f /home/<user>/folderforlog/watchlog.log

A few thoughts - you'd probably need to purge or rotate the log - otherwise it will just get bigger and bigger.

Perhaps you could add a copy to the above script then rm the watchlog.log file and continue the script above??

ETA:
I just tried this on a user on one of my DA servers and it worked fairly instantly. To end this, just run "ps -waux" | grep tail and get the PID for that particular command and "kill -9 <PID>".

 

[scsi]

Why dont you just change the customlog path of the virtualhost to a folder in the users home directory. It is the most simple solution.

 

[nobaloney]

@scsi,

Will that also change your logrotate script? I don't think so.

Jeff

 

[ditto]

Thank you Ranz for trying to help! I have been in contact with DirectAdmin support, and they have solved the problem for me. Of course changing the custom log path would break webalizer and awstats, but there is no reason I can't just add a 2nd entry for a 2nd log, I was told by DirectAdmin support.

And it works great! In Admin Level -> Custom httpd config -> domain.com I have added this (of course "username" and "domain.com" and "access_log" must be changed):

CustomLog /home/username/domains/domain.com/logs/access_log combined

The only thing left now, is to wait and see if the new live log file at the users home directory will just increase in size over time and get bigger and bigger, or if it will "rotate".

I will wait before contacting DirectAdmin support about that until I know. But I am hoping it will "rotate" and not grow bigger and bigger over time.

If somebody here have information about that, and about solving that problem, please help me out by posting your information in this thread. Thanks!

 

[floyd]

man logrotate