Bug#191237: No, this could be a security problem.

To: Thom May <thom@debian.org>
Cc: 191237@bugs.debian.org, 191237-submitter@bugs.debian.org, control@bugs.debian.org
Subject: Bug#191237: No, this could be a security problem.
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Fri, 27 Aug 2004 17:54:38 +0200
Message-id: <[🔎] 20040827155436.GA4880@wolffelaar.nl>
Reply-to: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 191237@bugs.debian.org
In-reply-to: <20031129183046.GA2917@samizdat.positive-internet.com>
References: <20031129183046.GA2917@samizdat.positive-internet.com>

retitle 191237 Default apache logfiles: world readable yes/no?
tags 191237 =
thanks

On Sat, Nov 29, 2003 at 06:30:46PM +0000, Thom May wrote:
> tags 191237 wontfix
> thanks
> 
> The reason that this is not done is that the logs could contain sensitive data
> such as credit card details. This is also the reason the logs are not world
> readable.
> As such, I think I won't fix this "bug".

Currently, new logfiles are created by apache with 0640 root.root,
making them root-only readable. Logrotate will create the next one 0644
root.adm, making them world-readable.

This is inconsistent, but more importantly, this completely orthogonal
to what you, Thom, say here, as logfiles now ARE being made
world-readable.

I don't think they should, 0640 root.adm in all cases is a good default.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl

Reply to:

Follow-Ups:
- Processed: Re: No, this could be a security problem.
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: No, this could be a security problem.
Next by Date: mod_macro.so and .info file
Previous by thread: DSO distribution request for the Apache 2 on Debian Sarge
Next by thread: Processed: Re: No, this could be a security problem.
Index(es):
- Date
- Thread