Concerns about Apache per-Vhost logging setup
- by etienne
I'm both senior developer and sysadmin in my company, so i'm trying to deal with the needs of both activities.
I've set up our apache box, wich deals with 30-50 domains atm (and hopefully will grow larger) and hosts both production and development sites, with this directory structure:
domains/
domains/domain.ext/ #FTPS chroot for user domain.ext
domains/domain.ext/public #the DocumentRoot of http://domain.ext
domains/domain.ext/logs
domains/domain.ext/subdomains/sub.domain.ext
domains/domain.ext/subdomains/sub.domain.ext/public #DocumentRoot of http://sub.domain.ext
Each domain.ext Vhost runs with his dedicated user and group via mpm-itk, umask being 027, and the logs are stored via a piped sudo command, like this:
ErrorLog "| /usr/bin/sudo -u nobody -g domain.ext tee -a domains/domain.ext/logs/sub.domain.ext_error.log"
CustomLog "| /usr/bin/sudo -u nobody -g domain.ext tee -a domains/domain.ext/logs/sub.domain.ext_access.log" combined
Now, i've read a lot about not letting the logs out of a very restricted directory, but the developers often need to give a quick look to a particular subdomain error log, and i don't really want to give them admin rights to look into /var/logs. Having them available into the ftp account is REALLY handy during development stages.
Do you think this setup is viable and safe enough? To me it is apparently looking good, but i'm concerned about 3 security issues:
-is the sudo pipe enough to deal with symlink exploits? Any catches i'm missing?
-log dos: logs are in the same partition of all domains. got hundreds of gigs, but still, if one get disk-space dos'd, everything will break. Any workaround? Will a short timed logrotate suffice?
-file descriptors limits: AFAIK the default limit for Apache on Ubuntu Server is currently 8192, which should be plenty enough to handle 2 log files per subdomain. Is it? Am i missing something?
I hope to read some thoughts on the matter!