Need help with user rights (Permission denied)

I have a script that do read data for Munin Graph .
My problem is that it have some reading problems, and I do not know how to fix it.

script traf.sh (its not the complete script)

#!/bin/sh
PORT="80"
NETDEVICE="eth0"
IPTRAFlogdir="/var/log/iptraf"

LOG="$IPTRAFlogdir/tcp_udp_services-${NETDEVICE}.log"
TRAFFICIN=$(awk '$1 ~ port {p=$11}END{if(length(p)) print p}' port=$PORT $LOG)
whoami
echo "trafficin.value ${TRAFFICIN}"

Running it as root ./traf.sh gives:

root
trafficin.value 653

Running it as Munin munin-run traf.sh gives:

awk: cmd. line:1: fatal: cannot open file `/var/log/iptraf/tcp_udp_services-eth0.log' for reading (Permission denied)
nobody
trafficin.value

I added whoami just to see who is running the script.
How do I make nobody able to read the file/folders?

If and only if there is no sensitive data in the file, then:

chmod o+r /var/log/iptraf/tcp_udp_services-eth0.log

will grant read permission for that file to everyone who is not the file's owner and is not a member of the file's group (which fits the intended use for user nobody).

The command:

chmod -R o+r /var/log/iptraf

will change the directory named and all files in the file hierarchy below that directory. But, again, log files in an iptraf directory may well show details about users on your system, the sites to which they connect, and data sent to and received from those sites that should be considered PRIVATE data and not made visible to everyone who wants to snoop around on your system.

If the file is removed and recreated by some process on your system you will either need to run this chmod command in or before running this script or you will need to track down the process(es) that create(s) this log file and either change the umask when creating the file or change its mode immediately after creating it to grant read permission to everyone.

Note that a script running as nobody won't have permission to use the above command to change the mode; chmod will succeed only if it is run by the file's owner or by someone with appropriate privileges (i.e., root on systems that don't have extended privileges mechanisms).

Setting the permission on file/folder did not help. Still the same Permission denied
What other can prevent Munin from reading it?

Please show us the output sent to stdout and to stderr by the command:

ls -ld /var/log/iptraf/tcp_udp_services-eth0.log /var/log/iptraf /var/log /var

drwxr-xr-x 18 root   root      4096 2012-09-18 10:13 /var
drwxr-xr-x 15 root   root      4096 2012-11-12 06:29 /var/log
drw-r--r--  2 nobody nogroup   4096 2012-11-12 06:28 /var/log/iptraf
-rw-r--rw-  1 nobody nogroup 459638 2012-11-12 20:29 /var/log/iptraf/tcp_udp_services-eth0.log

I may have tried to change owner/group to nobody to be able to read them, without luck.

I STRONGLY REPEAT MY WARNING THAT WHAT YOU ARE DOING IS LIKELY TO MAKE PRIVATE DATA VISIBLE TO THE WORLD!

To get back to a sane state you need to restore the owner and group of /var/log/iptraf and /var/log/iptraf/tcp_udp_services-eth0.log and then (if you really don't mind being sued for disclosing private data) add search permission for owner, group, and other to /var/log/iptraf. You also NEED to remove write permission for class other from /var/log/iptraf/tcp_udp_services-eth0.log.

Although I can't tell what permissions were originally granted the various classes of users by the designers of your system, it is obvious that you did change the owner, group, and permissions on /var/log/iptraf/tcp_udp_services-eth0.log and /var/log/iptraf. If there are any daemons running on your system not running with "all privileges", it is highly likely that with your current settings, you have completely disabled adding log entries to all files in /var/log/iptraf by those daemons unless they had (and still have) the log file open before you changed permissions on /var/log/iptraf.

I did restore owner by re installing iptraf. Did not help:

root@server2 /var/log #ls -ld /var/log/iptraf/tcp_udp_services-eth0.log /var/log/iptraf /var/log /var
drwxr-xr-x 18 root root 4096 2012-09-18 10:13 /var
drwxr-xr-x 15 root root 4096 2012-11-12 22:22 /var/log
drwx---r--  2 root root 4096 2012-11-12 22:27 /var/log/iptraf
-rw-r--r--  1 root root   76 2012-11-12 22:27 /var/log/iptraf/tcp_udp_services-eth0.log

Still error:

awk: cmd. line:1: fatal: cannot open file `/var/log/iptraf/tcp_udp_services-eth0.log' for reading (Permission denied)

I do now a lot about security.
This is a monitor only server. No user than me will ever log in.

OK. Now that you're back to a sane starting point, since ls doesn't show that any extended security controls are in use on these directories, the following should loosen security controls enough to allow everybody to read /var/log/iptraf/tcp_udp_services-eth0.log:

chmod 755 /var/log/iptraf

I will take your word for it that you know how to safely handle security issues. In you first message you said that you didn't know who was running the script that is doesn't have permission to read this log file (so you added a call to whoami to see who it was). The fact that it showed that it was being executed by user-ID nobody means that it was likely started by a request from a remote system. You are changing the system's security features so that anyone on the same network as this server can read any log file in that directory. I'm not familiar with the iptraf application, but IP traffic being logged on a server need not originate on that server. Just because you're the only one who logs on to that server doesn't mean that IP traffic can't contain data from other users, and doesn't mean that users on other systems on your network won't be able to read sensitive information from log files in that directory.

Thanks, it works

By who running the script, I meant I do not know what linux process, not what physical user....