Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. Thanks. Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache webse ii debconf 1.4.30.10 Debian configuration management sy ii dpkg 1.10.25 Package maintenance system for Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libmagic1 4.12-1 File type determination library us ii logrotate 3.7-2 Log rotation utility ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap ii perl 5.8.4-3 Larry Wall's Practical Extraction -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: webmaster@localhost apache/server-name: localhost * apache/enable-suexec: false -- )^o-o^| jabber: rdancer@NJS.NetLab.Cz | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: rdancer@IRC.FreeNode.Net
Attachment:
pgp4rHdR_U4H2.pgp
Description: PGP signature