How to determine files that apache "cannot open for reading" in error log

Question

My apache error log is full of

Error opening file for reading: Permission denied
Error opening file for reading: Permission denied
Error opening file for reading: Permission denied

etc.

How can I determine the file or folder of files that is causing this permissions error? There's no direct relation between errors appearing and access_log requests.

Googling suggests I should use strace but when I do

strace apache2 

or

strace -etrace:open apache2

the response is verbose and since I haven't really used this tool successfully before, I'm not sure what to look for. Here's a trace of what appears.

.....
open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
apache2: bad user name ${APACHE_RUN_USER}

The last line is the only one that seems it might be the cause, but my webserver is processing images, and all sorts of disk stuff that would be a problem if the apache user wasn't sufficient.

Thanks.

Answer 1

I'm not very knowledgeable about strace, but I think you will need to do a few other things to get Apache to run as you want.

If you just run the apache2 binary, your program will stop (as you noted) with a bad user name because typically the apache username/group are set as part of the config (in /etc/apache2/envvars on my Ubuntu 12.04 installation).

What I found easiest was to find the apachectl script on my machine, and search for "start)". You will find a line that looks like:

$HTTPD ${APACHE_ARGUMENTS} -k $ARGV

you can add your strace here so it looks like:

strace -etrace:open -f $HTTPD ${APACHE_ARGUMENETS} -k $ARGV

You need to include the -f option as apache will spawn a number of processes and you want to trace them all most likely, at least this is what worked for me :)