[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

simon@nuit.ca wrote:
| Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
|
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>rm@fabula.de wrote:
|>| On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
|>|
|
|
| it's funny, 'cause both of you have made good points. thing is, i've
| already chmodded my apache* log dirs 750 =;).
|
| this situation is different here though. only people allowed shell
| access are trusted people, therefore it doesn't matter much.
|
| the thing about security is to layer it. the more layers you have, the
| better.

eheh see.. people here are mumbling about /var/log/apache <- and talking about layers,
why do they have access to /var/log in the first place? ;)

|
| say an attacker breaks through one layer, there is yet another few or
| several layers they have get through to actually do any real harm. chmod
| 750 a log dir may or may not be a part of that. seems it's a touchy
| subject... but privacy concerns - for both individuals and organisations
| -  are important too.

It is a very touchy argument, specially when people want more tight permissions
while others want them more relax to be able to run their favourite apache log
parser to generate stats.

We had a neutral position for ages to avoid to move the balance towards one
or another side and we are not going to change it.

|
| how about: either having a short debconf question about chmod 750
| /var/log/apache*, and asking yes or no;

another debconf question would be overkilling.


~ or, a mention in README.Debian
| about it. an admin that wants to do that anyway will do it, and for
| others it might give them something to think about.
|
| (yes this is a proposal *grin*).
|

see that's another point.. an admin that install services should always check them.
For how sane we can provide certain defaults, there will be always thing that will
not work for someone in one way or another.

Fabio

- --
Self-Service law:
The last available dish of the food you have decided to eat, will be
inevitably taken from the person in front of you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFByXjyhCzbekR3nhgRAqBtAJ0cGC4W2ECNKO8cMXqCagfFWwKF8QCfXfNW
WBS+segxptigxDcXdhzEXNg=
=z07S
-----END PGP SIGNATURE-----
Reply to: