[Pkg-awstats-devel] RFC - cron-related stuff
Sergey B Kirpichev
skirpichev at gmail.com
Mon Apr 13 08:26:47 UTC 2009
> >By default awstats user has NO access to log files (adm group). Only
> >when a local admin chgrp to awstats them (explicitely) - then awstats
> >will have a readonly access. It's simple and a bit easy to support.
> >No new (buggy ;-)) wrappers for awstats.pl in cron.d/awstats.
>
> There is no flaw in the packaging itself, but you take only a single
> workflow into account, and for that workflow you tell the admin to
> weaken security.
How?? It doesn't weaken anymore. Anyway awstats user need an access to
logs for log parsing. Exactly that's shall be done by "chgrp awstats
/var/log/apache2/*" (by tuning logrotate settings, actually).
> Here's another scenario: Multiple users have shell access to accounts
> also used for webhosting. Each account is sealed in that users cannot
> read each others content - some might contain .htaccess files or other
> security-related files.
>
> For that scenario you cannot tell the admin to make logs readable by
> www-data.
And I don't do so. Instead, I just suggest to make it readonly accessible
by awstats group.
Parsed stuff is accessible by awstats:awstats only by default.
> I would like awstats to support multiple virtual hosts securely. Not
> now, but later. I would like to do it right, when we bother our users
> with restructuring the central config files.
Right now we can suggest (in config examples) the following layout:
/var/lib/awstats/raw/ - *.txt or *.xml database files
/var/lib/awstats/html/ - *.html reports (static)
Local admin can (a) "chgrp www-data /var/lib/awstats/" to allow a web
access or (b) copy&chown (in crontab) right virtualhosts stuff from
/var/lib/awstats/html/* to the right webhosting user.
> Oh, and by the way: Are you aware that when you now dropped the check
> for existence of logfiles in cron job, awstats is invoked each 10
> minutes even there is no webserver installed. not nice to system
> ressources.
But _all_ log parsing configuration stuff goes to /etc/awstats/* files.
> I would prefer to instead get the logfile path from
> /etc/default/awstats with a comment there that central awstats routines
> can be disabled by commenting out that path.
It's not so easy to do for multiple virtual hostings. Or if there is a
serveral webservers (e.g. fronted/backend).
AWstats should fire error to stderr if logfile doesn't exists. It's a
problem for local admin, we would't hide one (Yes, I now that it sends
hundreds of mails sometimes...).
I suggest just comment out the default cron entry.
> Later we can extend to supporting multiple paths or perhaps globbing.
More information about the Pkg-awstats-devel
mailing list