Re: World readable log files
Olaf Meeuwissen said:
> The following are world readable on my rather spartan system:
>
> /var/log/apache/access.log*
> /var/log/apache/error.log*
If you have not already done so, I suggest that you file this as a bug. (If
you don't know how, just install the 'bug' package and issue the command "bug
apache".) Any HTTP-based software which submits information using GET
requests instead of POST will have that information written into access.log.
In that situation, a world-readable log is a Very Bad Thing, as the
information is likely to include passwords (possibly encrypted, but, for
counterfeit web access, that doesn't matter) and other sensitive information.
I just did the following:
chgrp adm /var/log/apache/*
chmod o-r /var/log/apache/*
/etc/init.d/apache restart
and my install of apache now appears to be able to log properly without
requiring the logs to be world-readable. I'll just have to check tomorrow to
see whether logrotate preserves these settings automagically or if tomorrow's
new logs are created with the old permissions.
--
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+
Reply to: