Adam Megacz wrote: > I've seen references on and off to what appears to be a third problem, > which is almost orthogonal to the previous two issues: > > 3) For some reason we don't want users to be able to delete or modify > their own logs. > > Is this actually a goal? >
We want to be able to calculate bandwidth usage by virtual host, since in general we want to be able to tell if anyone is using exorbitant amounts of any resource, and web bandwidth is our majority bandwidth type presently. That requires that users can't muck with their log files arbitrarily. There is the "side benefit" of letting people see their web statistics, but the logs aren't just a service that we are helping members provide for themselves. > I don't care about the policy angle, but > technically it opens a whole new can of worms. Apache runs with the > user's tokens -- how is it going to write to the logfile if the user > can't write to it? That may be true with mod_waklog, but it's not true with the old suexec approach. Apache opens all log files as root when it starts up. These file descriptors are inherited where needed by "trusted" child processes, but the separate processes spawned with suexec don't get/need access to them. Does waklog change the picture in some way that would prevent this from working? _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
