[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)



Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security

Hi.

/var/log/apache is world-readable, so users can e.g. check whether
certain operation triggered an error.  And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile, judging by the number of bytes that was appended to the
log.

As this is not very obvious to the system administrator, and as there is
no use of /var/log/apache directory being readable and searchable while
the files in it are not, apart from the information disclosure described
above, I think it should be chmod-ed 750, just as the logs in it are
chmod 640.

Thanks.
Jan.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.28-jan
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)

Versions of packages apache depends on:
ii  apache-common               1.3.33-2     Support files for all Apache webse
ii  debconf                     1.4.30.10    Debian configuration management sy
ii  dpkg                        1.10.25      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libmagic1                   4.12-1       File type determination library us
ii  logrotate                   3.7-2        Log rotation utility
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  perl                        5.8.4-3      Larry Wall's Practical Extraction 

-- debconf information:
  apache/init: true
  apache/server-port: 80
  apache/document-root: /var/www
  apache/server-admin: webmaster@localhost
  apache/server-name: localhost
* apache/enable-suexec: false

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpPZH1VYpFdS.pgp
Description: PGP signature


Reply to: