Bug#286740: marked as done (apache: log directory should have same permissions as logfiles (possible information disclosure))
Your message dated Wed, 22 Dec 2004 09:57:13 +0100
with message-id <41C936E9.10700@fabbione.net>
and subject line Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Dec 2004 22:07:06 +0000
>From jjminar@fastmail.fm Tue Dec 21 14:07:06 2004
Return-path: <jjminar@fastmail.fm>
Received: from host81-134-51-163.in-addr.btopenworld.com (mail.haltyr.dejvice.czf) [81.134.51.163]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cgs9p-0001zs-00; Tue, 21 Dec 2004 14:07:06 -0800
Received: by mail.haltyr.dejvice.czf (Postfix, from userid 1000)
id 7439648EA; Tue, 21 Dec 2004 21:41:35 +0000 (GMT)
Date: Tue, 21 Dec 2004 21:41:35 +0000
From: Jan Minar <jjminar@FastMail.FM>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: log directory should have same permissions as logfiles (possible information disclosure)
Message-ID: <[🔎] 20041221214135.GA29767@kontryhel.haltyr.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security
Hi.
/var/log/apache is world-readable, so users can e.g. check whether
certain operation triggered an error. And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile, judging by the number of bytes that was appended to the
log.
As this is not very obvious to the system administrator, and as there is
no use of /var/log/apache directory being readable and searchable while
the files in it are not, apart from the information disclosure described
above, I think it should be chmod-ed 750, just as the logs in it are
chmod 640.
Thanks.
Jan.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.28-jan
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2 (charmap=3DISO-8859-2)
Versions of packages apache depends on:
ii apache-common 1.3.33-2 Support files for all Apache w=
ebse
ii debconf 1.4.30.10 Debian configuration managemen=
t sy
ii dpkg 1.10.25 Package maintenance system for=
Deb
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Librari=
es [
ii libexpat1 1.95.8-1 XML parsing C library - runtim=
e li
ii libmagic1 4.12-1 File type determination librar=
y us
ii logrotate 3.7-2 Log rotation utility
ii mime-support 3.28-1 MIME files 'mime.types' & 'mai=
lcap
ii perl 5.8.4-3 Larry Wall's Practical Extract=
ion=20
-- debconf information:
apache/init: true
apache/server-port: 80
apache/document-root: /var/www
apache/server-admin: webmaster@localhost
apache/server-name: localhost
* apache/enable-suexec: false
--=20
)^o-o^| jabber: rdancer@NJS.NetLab.Cz
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: rdancer@IRC.FreeNode.Net
--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFByJiO+uczK20Fa5cRApTVAJ9g/qNa4eq15MzbYAyz7eFZfcIj1QCfeMdu
IFCwq8a7tfhwUkrmDGMuPzg=
=igao
-----END PGP SIGNATURE-----
--nFreZHaLTZJo0R7j--
---------------------------------------
Received: (at 286740-done) by bugs.debian.org; 22 Dec 2004 08:57:37 +0000
>From fabbione@fabbione.net Wed Dec 22 00:57:37 2004
Return-path: <fabbione@fabbione.net>
Received: from port49.ds1-van.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.141.114]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Ch2JN-0007Mi-00; Wed, 22 Dec 2004 00:57:37 -0800
Received: from localhost (localhost [127.0.0.1])
by trider-g7.fabbione.net (Postfix) with ESMTP id 4DB78407D;
Wed, 22 Dec 2004 09:57:33 +0100 (CET)
Received: from trider-g7.fabbione.net ([127.0.0.1])
by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 01033-01-5; Wed, 22 Dec 2004 09:57:18 +0100 (CET)
Received: from [192.168.1.6] (gordian.int.fabbione.net [192.168.1.6])
by trider-g7.fabbione.net (Postfix) with ESMTP id 4BA284059;
Wed, 22 Dec 2004 09:57:13 +0100 (CET)
Message-ID: <41C936E9.10700@fabbione.net>
Date: Wed, 22 Dec 2004 09:57:13 +0100
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041203)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jan Minar <jjminar@FastMail.FM>, 286740-done@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#286740: apache: log directory should have same permissions
as logfiles (possible information disclosure)
References: <[🔎] 20041221214135.GA29767@kontryhel.haltyr.dyndns.org>
In-Reply-To: <[🔎] 20041221214135.GA29767@kontryhel.haltyr.dyndns.org>
X-Enigmail-Version: 0.89.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net
Delivered-To: 286740-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,
VALID_BTS_CONTROL autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tag 286740 - security
thanks
Jan Minar wrote:
| Package: apache
| Version: 1.3.33-2
| Severity: minor
| Tags: security
|
| Hi.
|
| /var/log/apache is world-readable, so users can e.g. check whether
| certain operation triggered an error. And given that the error strings
| are pretty standardized, they can guess what string has been added to
| the logfile, judging by the number of bytes that was appended to the
| log.
|
| As this is not very obvious to the system administrator, and as there is
| no use of /var/log/apache directory being readable and searchable while
| the files in it are not, apart from the information disclosure described
| above, I think it should be chmod-ed 750, just as the logs in it are
| chmod 640.
|
There is no point in such operation. If a user have a local account
it also has at least a few other thousands options to make a DoS on apache.
Fabio
- --
Self-Service law:
The last available dish of the food you have decided to eat, will be
inevitably taken from the person in front of you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFByTbnhCzbekR3nhgRAjcpAJjYDWj4Lt6SPsX9yqXmAvFFowgqAJ0dy+ef
jieTMQIlkle65MZ3OxxICQ==
=NWLS
-----END PGP SIGNATURE-----
Reply to: