[Pkg-awstats-devel] RFC - cron-related stuff

Mon Apr 13 08:26:47 UTC 2009

> >By default awstats user has NO access to log files (adm group).  Only
> >when a local admin chgrp to awstats them (explicitely) - then awstats
> >will have a readonly access.  It's simple and a bit easy to support.
> >No new (buggy ;-)) wrappers for awstats.pl in cron.d/awstats.
>
> There is no flaw in the packaging itself, but you take only a single
> workflow into account, and for that workflow you tell the admin to
> weaken security.

How??  It doesn't weaken anymore.  Anyway awstats user need an access to
logs for log parsing.  Exactly that's shall be done by "chgrp awstats
/var/log/apache2/*" (by tuning logrotate settings, actually).

> Here's another scenario: Multiple users have shell access to accounts
> also used for webhosting. Each account is sealed in that users cannot
> read each others content - some might contain .htaccess files or other
> security-related files.
>
> For that scenario you cannot tell the admin to make logs readable by
> www-data.

And I don't do so.  Instead, I just suggest to make it readonly accessible
by awstats group.

Parsed stuff is accessible by awstats:awstats only by default.

> I would like awstats to support multiple virtual hosts securely.  Not
> now, but later.  I would like to do it right, when we bother our users
> with restructuring the central config files.

Right now we can suggest (in config examples) the following layout:
/var/lib/awstats/raw/ - *.txt or *.xml database files
/var/lib/awstats/html/ - *.html reports (static)

Local admin can (a) "chgrp www-data /var/lib/awstats/" to allow a web
access or (b) copy&chown (in crontab) right virtualhosts stuff from
/var/lib/awstats/html/* to the right webhosting user.

> Oh, and by the way: Are you aware that when you now dropped the check
> for existence of logfiles in cron job, awstats is invoked each 10
> minutes even there is no webserver installed.  not nice to system
> ressources.

But _all_ log parsing configuration stuff goes to /etc/awstats/* files.

>  I would prefer to instead get the logfile path from
> /etc/default/awstats with a comment there that central awstats routines
> can be disabled by commenting out that path.

It's not so easy to do for multiple virtual hostings.  Or if there is a
serveral webservers (e.g. fronted/backend).

AWstats should fire error to stderr if logfile doesn't exists.  It's a
problem for local admin, we would't hide one (Yes, I now that it sends
hundreds of mails sometimes...).

I suggest just comment out the default cron entry.

> Later we can extend to supporting multiple paths or perhaps globbing.