Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

[Matt Zimmerman <mdz@debian.org>]

On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote:

> Package: apache
> Version: 1.3.33-2
> Severity: minor
> Tags: security
> 
> Hi.
> 
> /var/log/apache is world-readable, so users can e.g. check whether
> certain operation triggered an error.  And given that the error strings
> are pretty standardized, they can guess what string has been added to
> the logfile, judging by the number of bytes that was appended to the
> log.
> 
> As this is not very obvious to the system administrator, and as there is
> no use of /var/log/apache directory being readable and searchable while
> the files in it are not, apart from the information disclosure described
> above, I think it should be chmod-ed 750, just as the logs in it are
> chmod 640.

I don't see a scenario where this could result in a meaningful security
issue.

The user can just as easily find out that an error was caused by noticing
the 5xx error returned by the server in response to the request.



-- 
 - mdz