Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote:
> Package: apache
> Version: 1.3.33-2
> Severity: minor
> Tags: security
>
> Hi.
>
> /var/log/apache is world-readable, so users can e.g. check whether
> certain operation triggered an error. And given that the error strings
> are pretty standardized, they can guess what string has been added to
> the logfile, judging by the number of bytes that was appended to the
> log.
>
> As this is not very obvious to the system administrator, and as there is
> no use of /var/log/apache directory being readable and searchable while
> the files in it are not, apart from the information disclosure described
> above, I think it should be chmod-ed 750, just as the logs in it are
> chmod 640.
I don't see a scenario where this could result in a meaningful security
issue.
The user can just as easily find out that an error was caused by noticing
the 5xx error returned by the server in response to the request.
--
- mdz
Reply to: