How to configure caddy to write log files readable by other users?

spotty-xy · October 13, 2024, 8:37am

1. The problem I’m having:

I’m trying to scrape the caddy logs with promtail. But the logs are written so the caddy user alone can access them. This denies the promtail or any other user on the system to read them.

How can I write the log files readable by other users?

I’ve already tried setting a stick bit for group permissions and configuring a default acl for the dir but to no avail.

2. Error messages and/or full log output:

$ ll /var/log/caddy
total 348K
drwxr-sr-x+ 2 caddy caddy 4.0K Oct 13 10:10 .
drwxr-xr-x  7 root  root  4.0K Oct 12 09:37 ..
-rw-------  1 caddy caddy  23K Oct 13 10:09 caddy.log
$ sudo -u promtail cat /var/log/caddy/caddy.log
cat: /var/log/caddy/caddy.log: Permission denied
$ sudo setfacl -d -m g::r /var/log/caddy
$ sudo setfacl -d -m o::r /var/log/caddy
$ sudo getfacl  /var/log/caddy
getfacl: Removing leading '/' from absolute path names
# file: var/log/caddy
# owner: caddy
# group: caddy
# flags: -s-
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r--
default:other::r--
$ sudo rm /var/log/caddy/caddy.log
$ sudo systemctl restart caddy
$ ll /var/log/caddy
total 348K
drwxr-sr-x+ 2 caddy caddy 4.0K Oct 13 10:10 .
drwxr-xr-x  7 root  root  4.0K Oct 12 09:37 ..
-rw-------  1 caddy caddy  23K Oct 13 10:34 caddy.log

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Raspi OS
Installed caddy exactly as in Install — Caddy Documentation

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

Its the default unit file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

{
    email caddy.spotty065@passmail.net
    servers {
        metrics
    }
    admin 0.0.0.0:2019
    log {
        output file /var/log/caddy/caddy.log {
            roll_size 50MiB
            roll_keep 5
            roll_keep_for 100d
            roll_uncompressed
        }
        format json
        level INFO
    }
}

(default_logging) {
    log {
        hostnames {args[0]}
        output file /var/log/caddy/{args[0]}.log {
            roll_size 50MiB
            roll_keep 5
            roll_keep_for 100d
            roll_uncompressed
        }
        format json
        level INFO
    }
}

www.spotty.de {
    redir https://spotty.de{uri}
}

spotty.de {
    root /srv/spotty
    encode zstd gzip
    import default_logging spotty.de
    tracing {
        span rootsite
    }
}

5. Links to relevant resources:

Monviech · October 13, 2024, 3:35pm

What I do is streaming them to syslog-ng on the same system.

francislavoie · October 14, 2024, 6:56am

We have a change landing in v2.9.0 to allow you to set the file mode: logging: Allow setting log file permissions by ririsoft · Pull Request #6314 · caddyserver/caddy · GitHub, this will likely let you do what you want.

spotty-xy · October 17, 2024, 3:42pm

Wonderful, then I’ll just wait

system · November 16, 2024, 3:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.