PHP can't write to error log - permission denied

10
votes

In my first PHP script in many years, I'm trying to log an error:

error_log("my error message", 3, $error_log);

I'm getting an error in the general Apache error log:

PHP Warning: error_log(/var/log/apache2/my_php_errors.log): failed to open stream: Permission denied in /var/www/html/blahblah/my_script.php on line 88

This is what I've checked and tried:

  • Created $error_log with the same ownership (root.adm) and permissions (640) as the Apache error log.
  • Changed the owner to www-data, which is the user PHP is running as.
  • log_errors is On.
  • open_basedir is not set.
  • Using PHP 5.5.x, so safe mode does not exist.

What am I missing?

Edit: It's able to write to the general Apache error log. The mystery is why it can't write to another file in the same directory with the same ownership and permissions.

Edit 2: Another developer told me that this works on his WAMP, so it's something specific to my LAMP stack or config.

2
php
We need more info on $error_log variable. It's the destination towards the log file. Leave it empty for a default log file. For example, is it in or outside the web root directory. If outside you might want to check the allowed include path in the ini.Xorifelse
Try using 777 for files that PHP needs to write to and see if that worksMachavity
@frosty I am my own server admin.Kevin Krumwiede
Also, make sure selinux is disabled. People always forget that oneMachavity
@Xorifelse I already described how I changed the permissions of that file. Anyway, why would I want it to be executable?Kevin Krumwiede

2 Answers

3
votes

I had the same problem. https://serverfault.com/questions/831444/php-error-log-per-vhost/831666#831666

touch /path/to/php_error.log
chown www-data:www-data php_error.log
chmod 755 php_error.log

thanks for leading me to the answer!

0
votes

TL;DR: check that all the ancestor directories allow reads/lists by the web server.

On my system, my equivalent of /var/log/apache2/my_php_errors.log was giving this same error. I eventually did an ls -ld at every level of the path (/, /var/, /var/log/, /var/log/apache2/, /var/log/apache2/my_php_errors.log).

Four of those had permissions that made them readable by the web server. One of them, /var/log/apache2/ did not. When I moved my file out of the apache2 directory, everything started working. E.g. /var/log/php/ and set appropriate permissions/ownership (e.g. 750 by www-data.adm) on the new directory. 

prompt> ls -ld /var/log/php/
drwxr-x--- 2 www-data adm 4096 Nov  1 13:31 /var/log/php/

You could also change the permissions on /var/log/apache2/, but that seems like a security/privacy issue. It's safer to make a new directory and leave the existing structure as is.

The reason why the permissions have to change is that it is no longer using some version of syslog to publish to the log files. The syslog variants run as root and accept messages from non-root. But in my case, I was specifying the file from the web server, which made the permissions wrong.

There is a fix that uses syslog so that it could keep the same ownership. I did not try to make that work, as this is for a test server.

This may not have been the problem that you were having, but I'm pretty sure that I was using the default permissions for /var/log/apache2/. So it's quite possible that it was the problem. And even if it wasn't, this is one of the places I was searching for troubleshooting advice. So next time something like this happens to me, I'll have a reminder of what to check.