Log file permissions on Linux

JoanneMcGraw · ‎11-29-2013

Does anyone know if ArcGIS Server and the Web Adaptor are giving only their owners read access to the log files they create by default?

Is seems the system settings for new files and directories created by that user are being ignored. More importantly, if that is the case, does anyone know where/what we can configure to provide its group with read access as well?

Cheers,
jtm

JoanneMcGraw · ‎12-10-2013

I contacted ESRI Support about this question and detailed some additional info to them:

In our environment, our ArcGIS Server user has a umask command in its profile that sets its create permissions to 640 (the '4' indicates members of the same group should get read and execute permissions - the execute permissions are necessary in case it's a directory so the group member can "cd" into it). Since the ArcGIS Server is started with the ArcGIS Server user's account, we expected it to use those settings. Instead, new log files continue to be created with 600 permissions.

So, is ArcGIS Server code overriding the umask settings somehow?

And, their response:

Yes, ArcGIS Server will create a file with access for ArcGIS Server account only. It is recommended not to access the log files from outside of ArcGIS Server Manager.

Since ArcGIS Server Manager doesn't provide search capabilities on the logs or the ability to load the entire contents of, say, a VERBOSE-level log in one screen (and because we can't think of any rational reason why granting group members read permissions on those files should be problematic), we're just going to ignore that limitation and continue overwriting ArcGIS Server's permissions for the account after the files are created; pain that that is.

I'll let you know if doing so results in any problems.

Cheers,
jtm

View solution in original post

BubbaHey · ‎12-05-2013

What is the path for the log files? I thought they were under <serverinstall>/usr/logs - but no logs under /usr

JoanneMcGraw · ‎12-05-2013

Our log files are under <serverinstall>/usr/logs, as you suggest. Actually, they are under <serverinstall>/usr/logs/<hostname>, I assume because we have a cluster of two ArcGIS Servers set up. It's the same on both servers; although the hostname is different, of course.

If you do not have a logs directory under usr, that suggests they are configurable in some way; at least in terms of their location. Hopefully, in terms of their permissions also.

Cheers,
jtm

BubbaHey · ‎12-05-2013

Thanks, I'm still looking. Mine was an upgrade from 10.1 - don't know if that is a factor.

ThomasMontefusco · ‎12-05-2013

Bubbahey, look in /arcgis/server/usr/logs, it sounds like you were looking in the ArcGISServer folder (I could be wrong)..

On a default install of ArcGIS Server, my permissions for the logs folder are drwx

ThomasMontefusco · ‎12-05-2013

Sorry cut off -
drwxr-xr-x

BubbaHey · ‎12-05-2013

Ah.... you are correct. Duh. 🙂

My permissions are the same.

JoanneMcGraw · ‎12-06-2013

Sorry cut off -
drwxr-xr-x

Tom/Bubba,
Thank you for your responses.

Are your log file permissions similar? I can get into the directory but, for example, the files under server are only read/write for the ArcGIS user. I can't view their contents as a member of the ArcGIS user group.

Cheers,
jtm

BubbaHey · ‎12-06-2013

As mentioned, mine is an upgrade from 10.1 to 10.2 for my arcgis user I have read/write/execute permissions. But this is an upgrade, I don't know if those are default permissions.

JoanneMcGraw · ‎12-10-2013

I contacted ESRI Support about this question and detailed some additional info to them:

In our environment, our ArcGIS Server user has a umask command in its profile that sets its create permissions to 640 (the '4' indicates members of the same group should get read and execute permissions - the execute permissions are necessary in case it's a directory so the group member can "cd" into it). Since the ArcGIS Server is started with the ArcGIS Server user's account, we expected it to use those settings. Instead, new log files continue to be created with 600 permissions.

So, is ArcGIS Server code overriding the umask settings somehow?

And, their response:

Yes, ArcGIS Server will create a file with access for ArcGIS Server account only. It is recommended not to access the log files from outside of ArcGIS Server Manager.

Since ArcGIS Server Manager doesn't provide search capabilities on the logs or the ability to load the entire contents of, say, a VERBOSE-level log in one screen (and because we can't think of any rational reason why granting group members read permissions on those files should be problematic), we're just going to ignore that limitation and continue overwriting ArcGIS Server's permissions for the account after the files are created; pain that that is.

I'll let you know if doing so results in any problems.

Cheers,
jtm