Sun Cobalt RaQ550 web.log permissions and related issues
Starting with the Sun Cobalt RaQ550 platform, the log management program that creates the individual web.log files for each site on a Cobalt system has changed so that when the logs are created each night, they are not 'world' readable. In UNIX permissions parlance, the files previously had permissions as such:
This technically made them readable by anyone who knew their location. These permissions can be seen by using the command "ls -l" in the directory where the log file is located. Under the current scheme the files are set to have these permissions:
This means that unless you are an owner or part of a group that owns the web log file, or unless you are root, you cannot view it.
Since Urchin 4 is specifically designed to run without special privileges (for security reasons), root access is not an option. And since Urchin runs from a central installation, it cannot be set up to run as each individual user ID that owns specific log files. Therefore, Urchin would be prevented from processing your logs. The solution is to make the log files readable to Urchin. By default the way this is handled is that during an Urchin 4 installation on a RaQ550, a script named weblogs_perms.sh is put into the /etc/cron.daily directory. Each night this script will change the permissions on all web.log files so that they have the old rw-rw-r-- access rights. Modifying the web.logs after they have been created is preferable to altering the current Cobalt log management script.
If you are concerned about the visibility of the data in your web.log files, then an alternative to using the weblog_perms.sh script is to have your own mechanism that copies the individual web.log files into a central area where Urchin has read access rights. The permissions on the log files as they are copied would be such that only Urchin can read them, thus preserving your data privacy. You can then set the Urchin log destiny parameter to delete the copy of the log once it has been processed.