On mw1299.eqiad.wmnet at least, as a member of the wikidev group I am unable to access /var/log/mediawiki/jobrunner.log which is only available to root:adm:
$ ls -l /var/log/mediawiki/jobrunner.log -rw-r----- 1 root adm 32241612 Sep 19 15:27 /var/log/mediawiki/jobrunner.log
The jobrunner service runs as www-data and /var/log/mediawiki is drwxr-xr-x 2 www-data wikidev.
Puppet has:
# /var/log/mediawiki contains log files for the MediaWiki jobrunner # and for various periodic jobs that are managed by cron. file { '/var/log/mediawiki': ensure => directory, owner => $::mediawiki::users::web, group => 'wikidev', mode => '0644', }
The hosts have been switched from Trusty with upstart to Jessie with I assume systemd. In upstart we used to have the upstart service to pass to start-stop-daemon --chuid which came from $::mediawiki::users::web.
The systemd template uses the same puppet variable and on mw1299.eqiad.wmnet:
[Unit] Description="Mediawiki job queue runner loop" After=hhvm.service [Service] EnvironmentFile=/etc/default/jobrunner User=www-data Group=www-data SyslogIdentifier=jobrunner ExecStart=/usr/bin/php /srv/deployment/jobrunner/jobrunner/redisJobRunnerService --config-file=${JOBRUNNER_CONFIG} ${DAEMON_OPTS} Restart=always [Install] WantedBy=multi-user.target
systemd does spawn the service as www-data.