My server is apache on redhat 9.

I'm trying to create a PHP script to read the /var/logmaillog but the maillog is denied access to the apache user and group. Is there a way around this?

I need to read the maillog, parse it for information and then output.

You may have to chown the script to root somehow. Or give user the script is under permisions to read /var/logmaillog, in which IMO would be safer if the user is yourself and not a client.

maillog is owned by root.root, if I change that would it affect SENDMAIL?

No, I didnt mean change the owner of /var/logmaillog I meant change permisions of the account the script is under to be able to get info from /var/logmaillog . I'm not sure off the back of my head but give the user Super User permisions and it should work. I reserve the right to be wrong though ;)

The script is thru apache. I'm placing the script on a web site. If I run the script (php checklogs.php) as root, it works. If I call it from a web page http://localhost/checklogs.php, it fails.

But thankx for the input

Exactly!, Take the account the website is under. The User I mean and give it Super User permisions.

sorry so newbie but how you do that?

The user is apache. The group is apache.

What control panel are you running on the server?

Scratch that,
Try this in shell
chmod 777 /var/logmaillog

I'm using BlueQuartz (Sun RAQ550 clone)

P.S. Changing the log to 777 works, infact 755 works also.
But not the solution I want.

How do I change apache user to super user permission??

You DO NOT want to change Apache user to super user. This is a VERY BIG security risk.

What this does is, all scripts that are run from your websever will have root permissions ... which means ... if you host any scripts that are compromised -- the hacker will have root access to your server.

Instead, use suexec.

thankx for the help. This will probably work.

Now I need help to recompile my web server. LOL.

change apache group is unsecurable
better create php script with, chown it with root:root and right 711, and with setuid mask.
this will work

I think other people's suggestions are overly complicated, and whoever suggested changing the website user to a super user should be beaten with a server -- no, I'm not kidding, at the very least should be banned from posting in the programming forum. Does every web programming tutorial now really have to start with "never open unverified input" and "never give your webserver root access to your system"? Actually.... I'm pretty sure most books on Apache mention that as the reason for having an "apache" user or running it as nobody. Sorry, but the fact that the idea would even enter someone's head....

You don't want the log to be 777 obviously. Why would the log need to be executable anyway? You also don't want it to be writable by everyone. You could set it to 604/644/664, which would give everybody just read permissions to it.

Another option (this all depends on how it's currently owned as to if you need to add groups to make this work securely). This would possibly be the best way if you are using suexec. Change the group on the log file to be apache (or if suexec, whatever user the script is running as) and chmod it to 640. If the group is apache, that would keep access only to people with webserver access, which isn't the best idea, but it's better than everyone having access.

xelav's idea isn't too horrible, but having setuid scripts laying around makes security people nervous. But at least it's more secure than the other suggestions.

Originally posted by GHDave
You may have to chown the script to root somehow. Or give user the script is under permisions to read /var/logmaillog, in which IMO would be safer if the user is yourself and not a client.
change apache group is unsecurable
better create php script with, chown it with root:root and right 711, and with setuid mask.
this will work
Is my text invisible?

How do I change apache user to super user permission??
I HAVE NEVER suggested that!!

Thankx for all the replies and anwsers.

I created an easier solution -- which won't require changing permissions and recompiling apache.

Solution: created a script to copy the maillog to a temp folder, change the mode to 600 and owner to apache. Place the script in crontab to run quarterly. It works great.

that an idea too.