[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:

> Hash: SHA1
> simon@nuit.ca wrote:
> | Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
> |
> | it's funny, 'cause both of you have made good points. thing is, i've
> | already chmodded my apache* log dirs 750 =;).
> |
> | this situation is different here though. only people allowed shell
> | access are trusted people, therefore it doesn't matter much.
> |
> | the thing about security is to layer it. the more layers you have, the
> | better.
> eheh see.. people here are mumbling about /var/log/apache <- and talking 
> about layers,
> why do they have access to /var/log in the first place? ;)

hehe. i know - on this box i do, and one other person does. but they're
in sudoers ;).

> |
> | say an attacker breaks through one layer, there is yet another few or
> | several layers they have get through to actually do any real harm. chmod
> | 750 a log dir may or may not be a part of that. seems it's a touchy
> | subject... but privacy concerns - for both individuals and organisations
> | -  are important too.
> It is a very touchy argument, specially when people want more tight 
> permissions
> while others want them more relax to be able to run their favourite apache 
> log
> parser to generate stats.

yeh. i just set one up recently (log parser). i'm basically playing
"chown this to that, but chmod it to that other thing, so we balance
security and access". so i have 750, but chmoded differently from the

> We had a neutral position for ages to avoid to move the balance towards one
> or another side and we are not going to change it.
> |
> | how about: either having a short debconf question about chmod 750
> | /var/log/apache*, and asking yes or no;
> another debconf question would be overkilling.

too true =).

> ~ or, a mention in README.Debian
> | about it. an admin that wants to do that anyway will do it, and for
> | others it might give them something to think about.
> |
> | (yes this is a proposal *grin*).
> |
> see that's another point.. an admin that install services should always 
> check them.
> For how sane we can provide certain defaults, there will be always thing 
> that will
> not work for someone in one way or another.

*ahem* a reasonable admin ;).

> Fabio
> - --
> Self-Service law:
> The last available dish of the food you have decided to eat, will be
> inevitably taken from the person in front of you.
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> WBS+segxptigxDcXdhzEXNg=
> =z07S
> -- 
> To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org

"We're not talking about the same thing," he said. "For you the world is
weird because if you're not bored with it you're at odds with it. For me
the world is weird because it is stupendous, awesome, mysterious,
unfathomable; my interest has been to convince you that you must accept
responsibility for being here, in this marvelous world, in this marvelous
desert, in this marvelous time.  I wanted to convince you that you must
learn to make every act count, since you are going to be here for only a
short while, in fact, too short for witnessing all the marvels of it."
                -- Don Juan

Attachment: signature.asc
Description: Digital signature

Reply to: