caddyserver
log _subdirectory_ permissions
Issue Details
I know log permissions have been discussed before and resulted in a mode option for the file output of the log directive.
However, this option does not apply to any subdirectories that Caddy might create during logging.
For example:
My log directory is: caddy:caddy | 0755 | /var/log/caddy
My Caddyfile logging snippet:
log {args[0]} {
output file /var/log/caddy/{args[0]}/access.log {
mode 0644
}
}
The created file is: 0644 | /var/log/caddy/example/access.log, as requested.
However, the created subdirectory is 0700 | /var/log/caddy/example/.
To me, this is counter-intuitive and undesired behavior, as the end-result is not what I requested in the configuration.
I think it would make sense if any created directories followed the file mode setting in the config. IE w -> w and r -> rX.
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response
Your directory can't be 644, otherwise the files within it can't be accessed. It doesn't make sense to apply those permissions to directories; they need the execute bit, and I don't think setting the permissions to a setting other than what the user specifies is intuitive. As-is, the permissions apply only to files, not directories, so we're true to the config.
We could add a dir_mode option or something alongside mode for the file, I guess. Or make mode accept an optional second argument for the dir perm to use. PRs welcome.
I understand 644 does not make sense for a directory, which is why I ~~mentioned~~implied a translation layer. I haven't gone through all the permutations, but it could be as easy as +1 every non-zero value. So 644 -> 755, 600 -> 700, etc.
One limitation of this approach is the implicitness of the action. Another is that I am sure someone will find an edge case where they want the file and the containing directory to have divergent permissions. I can't think of a scenario off the top of my head, but I'm sure someone will come up with it.
The solution is, as @francislavoie mentioned, to have an extra explicit option for any created directories. +1 for fine-tuning and explicitness, -1 for potentially cluttering the options.
Edit: One more thought... I actually like this the best so far... why not use the mode of the parent log directory? It's explicit in the sense that the user will set whatever permissions for that directory they need. And there is no translation required.
why not use the mode of the parent log directory?
Wouldn't that give the log files the executable bit?
@mholt Apologies, we are miscommunicating...
For the log files, you would use 'mode' option as defined (or default). While creating the file, if there are any directories that need to be created to reach the target log file, then you re-use the mode of the inner-most existing directory.
Following my example above:
- Try to create
/var/log/caddy/example/access.logwith mode 0644 -
/var/log/caddy/example/does not exist... - Does its parent directory exist?
- chop the innermost directory and repeat 2 & 3 until the answer is "yes"
-
/var/log/caddy/exists; it's mode is 0755 - create
/var/log/caddy/example/with that mode.
Ah... I suppose so, but part of me is worried that could lead to overly-open permissions depending on what exists and where it's stored. I'd rather have the permissions be reliable.
Not sure about other systems, but on Debian (+flavors), installed from the repository, Caddy runs as user caddy. This means that to write logs to a file, I had to manually create a target directory owned by that user and with the permissions I wanted.
