[Pkg-awstats-devel] RFC - cron-related stuff
Sergey B Kirpichev
skirpichev at gmail.com
Sun Apr 12 12:44:00 UTC 2009
> No, I disagree: Even if(!) the output of AWStats is to be delivered
> through a web server, it should not necessarily be served to the whole
> world. Only if it is to be served to the whole world should it be
> readable by www-data.
I was wrong. Your point is that the default configuration (static
html-reports) should not be in a working state since installation (log
parsing + web access). So, user have to chmod/chgrp/chown/usermod after
a tuning of the awstats*.conf (maybe add lines in /etc/cron.d/awstats
too).
> >The main difference between CGI vs static stuff is just a matter of
> >the awstats.pl command line parameters in /etc/cron.d/awstats ;-)
>
> I fail to see your point.
It means that both apache (server static pages) and CGI-script (without
suexec) runs with UID=www-data per default. Permissions on $DataDir
or/and $DataDir/* should be same for both cases, if web access is
planned. No differences.
> Here's a proposal for a secure setup:
> 2) Cron reads logs as root and pipes them (or cp to temp dir and chown)
> 3) Cron invokes awstats as awstats, saving output accessible by awstats
> group
> 4) Cron chmod and chown as root the output to match the input
Looks too complicated. What's wrong with my previous setup:
adduser --system --home /var/lib/awstats --shell /bin/sh --ingroup adm awstats
chown awstats:awstats /var/lib/awstats
chmod 0750 /var/lib/awstats
?
With /etc/cron.d/awstats entry:
*/10 * * * * awstats [ -x /usr/lib/cgi-bin/awstats.pl ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null
We have working setup per default, just no web access.
Then web access is an option (as you suggest). Thus the admin
may use "usermod -aG awstats www-data" to serve static html-statistics.
And use an apropriate apache.conf snippet to restrict web access.
More information about the Pkg-awstats-devel
mailing list