[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#298689: Bug with Debian Apache2 logrotate script

Heiko Stübner wrote:
> While obtaining another certificate I found the perfect example :-) Take
> a rented server (cheaper traffic than hosting it yourself) for an
> online-shop, hosted somewhere and no one knows who can get access to it
> directly on the console (like root=/bin/bash kernel command line) and to
> the certificate files.

If someone has console access to your machine, you should already consider
it compromised (this is, for instance, why one should never keep a PGP/GPG
private key on a co-located machine).  They can also get a keylogger on
your machine, trip a reboot (Oh, I mean "power failure"), and wait for you
to come along and restart apache.  As soon as you do, they have your cert
passphrase.  They can even just grab a copy of the excrypted cert and go
brute force it on their own time with a small cluster.

But still, the attacks you mentioned don't require one to have access to
the cert anyway, they only need to have access to the webserver to alter
your content, which the server will happily continue to sign and serve as

> But if a security update of apache in 6 months tells me there are
> differences between the files in the package and in the filesystem I have
> to guess why (or look it up why I did it) and apache is not the only
> package. So looking through notes on many packages checking if these
> changes are correct takes time and is error prone. It's easier (and
> safer) to stay near the original :-).

A security update of apache2 shouldn't change the logrotate script.  And,
if we don't change OUR copy, dpkg doesn't bug you to change YOURS.  It's
only when ours changes that it expects you might want to merge changes

... Adam

Reply to: