[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: marked as done (apache: log directory should have same permissions as logfiles (possible information disclosure))

Your message dated Wed, 16 Sep 2009 20:34:03 +0100
with message-id <1253129643.917131.2601.nullmailer@kmos.homeip.net>
and subject line Package apache has been removed from Debian
has caused the Debian Bug report #286740,
regarding apache: log directory should have same permissions as logfiles (possible information disclosure)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
286740: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286740
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security

Hi.

/var/log/apache is world-readable, so users can e.g. check whether
certain operation triggered an error.  And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile, judging by the number of bytes that was appended to the
log.

As this is not very obvious to the system administrator, and as there is
no use of /var/log/apache directory being readable and searchable while
the files in it are not, apart from the information disclosure described
above, I think it should be chmod-ed 750, just as the logs in it are
chmod 640.

Thanks.
Jan.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.28-jan
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)

Versions of packages apache depends on:
ii  apache-common               1.3.33-2     Support files for all Apache webse
ii  debconf                     1.4.30.10    Debian configuration management sy
ii  dpkg                        1.10.25      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libmagic1                   4.12-1       File type determination library us
ii  logrotate                   3.7-2        Log rotation utility
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  perl                        5.8.4-3      Larry Wall's Practical Extraction 

-- debconf information:
  apache/init: true
  apache/server-port: 80
  apache/document-root: /var/www
  apache/server-admin: webmaster@localhost
  apache/server-name: localhost
* apache/enable-suexec: false

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpApg9XNa2Zm.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 1.3.34-4.1+rm

You filled the bug http://bugs.debian.org/286740 in Debian BTS
against the package apache. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/418266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues

--- End Message ---
Reply to: