Re: apache question

To: Ian Zimmerman <itz@speakeasy.org>
Cc: debian-user@lists.debian.org
Subject: Re: apache question
From: Ethan Benson <erbenson@alaska.net>
Date: Thu, 25 May 2000 20:07:10 -0800
Message-id: <[🔎] 20000525200710.O29071@plato.local.lan>
In-reply-to: <[🔎] 868zwy802z.fsf@kronstadt.speakeasy.org>; from itz@speakeasy.org on Thu, May 25, 2000 at 08:25:08PM -0700
References: <[🔎] 813C64B2C7E6D311A85600500450F99C16A70B@EXCHANGE> <[🔎] 20000522011243.A7243@plato.local.lan> <[🔎] 868zwy802z.fsf@kronstadt.speakeasy.org>

On Thu, May 25, 2000 at 08:25:08PM -0700, Ian Zimmerman wrote:
> 
> Ethan> however one thing you should do on a debian system is chown
> Ethan> /var/www to root and make sure its not group writable.  also
> Ethan> chown /var/log/apache/* to root.adm and make sure the
> Ethan> permissions are 640 or 644.  (you have to fix the apache cron
> Ethan> jobs to not undo this change)
> 
> Ethan> for some insane reason debian leaves the www-root owned by
> Ethan> www-data.www-data (the same user debian runs apache as) along
> Ethan> with the logs.  this is totally wrong as the web server user
> Ethan> should NOT own files or have any write permission to anything.
> Ethan> if it does then all it takes is one of those unprivileged child
> Ethan> processes to be exploited and your web site can be replaced and
> Ethan> your logs can be removed. bad bad bad.
> 
> As for the document tree, I largely agree.  But as for the logs, don't
> the child servers need to write them, almost by definition?

no, the child processes do not write the log files, the parent does,
here is an apache setup on a redhat box, running www.linuxppc.org:

[eb@www eb]$ ps aux | grep httpd
eb       14908  0.0  0.1   784   212  p0 R    20:44   0:00 grep httpd
nobody   14610  0.0  6.0 12464  9728  ?  S    18:14   0:01 httpd
nobody   14718  0.0  1.2  2944  1956  ?  S    19:24   0:02 httpd
nobody   14738  0.0  1.2  2964  1992  ?  S    19:30   0:02 httpd
[snip]
nobody   14884  0.0  1.0  2872  1732  ?  S    20:37   0:00 httpd
nobody   14885  0.0  1.1  2852  1856  ?  S    20:37   0:00 httpd
nobody   14886  0.0  1.0  2796  1652  ?  S    20:37   0:00 httpd
root     18824  0.0  0.9  2772  1596  ?  S   May  2   0:11 httpd
[eb@www eb]$ ls -ld /var/log/httpd/
drwxr-xr-x   2 root     root         1024 May 21 04:02 /var/log/httpd/
[eb@www eb]$ ls -l /var/log/httpd/
total 119032
-rw-r--r--   1 root     root     48090120 May 25 20:44 access_log
-rw-r--r--   1 root     root      1267634 May 21 04:01 access_log.1.gz
-rw-r--r--   1 root     root     70740267 May  7 04:01 access_log.2
-rw-r--r--   1 root     root       434583 May 25 20:44 error_log
-rw-r--r--   1 root     root        20858 May 21 04:02 error_log.1.gz
-rw-r--r--   1 root     root       847416 May  7 04:02 error_log.2

the logs most certainly are being written to properly.  

all keeping the logs owned by the unpriviledged user seems to buy you
is a security hole.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp7cxXgFsnGO.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: apache question
  - From: Ernest Johanson <ejohan@fuller.edu>
- Re: apache question
  - From: Nathan E Norman <nnorman@midco.net>

References:
- apache question
  - From: Dominic Blythe <Dominic.Blythe@BCPSoftware.com>
- Re: apache question
  - From: Ethan Benson <erbenson@alaska.net>
- Re: apache question
  - From: Ian Zimmerman <itz@speakeasy.org>

Prev by Date: Re: Colormaps in Linux
Next by Date: Re: FTP and GNOME
Previous by thread: Re: apache question
Next by thread: Re: apache question
Index(es):
- Date
- Thread