[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange apache behaviour? (solved)

Thanks...

The lines to change are:

    do
        if [ -f $LOG ]
        then
            if [ "$APACHE_CHOWN_LOGFILES" = "1" ]
            then
                savelog -c $APACHE_OLD_LOGS -m 640 -u $USR -g $GRP \
                    $LOG > /dev/null
            else
                savelog -c $APACHE_OLD_LOGS -m 640 -u root -g adm \
                $LOG > /dev/null
            fi
        fi
    done

changing 640 to 644. This should work... will wait a few days to make sure
there are no side-effects to this.

Perhaps Johnie could make this an optional setting in
/etc/apache/cron.conf or something like that...?

Sincerely,
Jas

----- Original Message -----
From: "Peter Billson" <pete@elbnet.com>
To: "Jason Lim" <maillist@jasonlim.com>
Cc: <debian-isp@lists.debian.org>
Sent: Sunday, December 09, 2001 9:31 AM
Subject: Re: Strange apache behaviour?


> Jason,
>   Apaches log file ownership and permissions are set when they rotate in
> /etc/cron.daily/apache (about line 90 or so). As pointed out there are
> security issues to worry about so be careful.
>
> Pete
> --
> http://www.elbnet.com
> ELB Internet Services, Inc.
> Web Design, Computer Consulting, Internet Hosting
>
>
> Jason Lim wrote:
> >
> > Anyone figured out my apache problem (log file permissions)?
> >
> > I still haven't figured this one out yet.
> >
> > TIA,
> >
> > Jas
> >
> > ----- Original Message -----
> > From: "Jason Lim" <maillist@jasonlim.com>
> > To: <debian-isp@lists.debian.org>
> > Sent: Saturday, December 08, 2001 1:52 AM
> > Subject: Re: Strange apache behaviour?
> >
> > > Thats not very good security-wise to run webalizer as www-data,
because
> > if
> > > a user ever finds a way to poison the log files, then webalizer will
run
> > > them as www-data, and possibly be able to fool around with apache
too
> > > (because they now run as the same user).
> > >
> > > A far better way (and much more direct) would be to have a way to
change
> > > apache's log files BACK to the previous permissions.
> > >
> > > I think if no one knows the answer i'll have to ask netgod
himself... (i
> > > think he is still the package maintainer?)
> > >
> > > Sincerely,
> > > Jason
> > >
> > > ----- Original Message -----
> > > From: "Denis A. Kulgeyko" <burzum@bliss.com.ua>
> > > To: "Jason Lim" <maillist@jasonlim.com>
> > > Sent: Friday, December 07, 2001 9:10 PM
> > > Subject: Re: Strange apache behaviour?
> > >
> > >
> > > >      Hello !
> > > >
> > > > > Do you know how to change the permissions of the log files
apache
> > > > > generates?
> > > > >
> > > > > -rw-r-----    1 www-data www-data  1372461 Dec  7 13:04
> > > apache-access.log
> > > > > -rw-r-----    1 www-data www-data   740269 Dec  2 06:21
> > > > > apache-access.log.0
> > > > > -rw-r-----    1 www-data www-data    44414 Nov 25 05:52
> > > > > apache-access.log.1.gz
> > > > > -rw-rw-r--    1 www-data www-data   167114 Sep 23 06:10
> > > > > apache-access.log.10.gz
> > > > > -rw-rw-r--    1 www-data www-data    13069 Sep 16 06:06
> > > > > apache-access.log.11.gz
> > > > > -rw-rw-r--    1 www-data www-data    14357 Sep  9 06:04
> > > > > apache-access.log.12.gz
> > > > > -rw-rw-r--    1 www-data www-data    21209 Sep  2 06:24
> > > > > apache-access.log.13.gz
> > > > > -rw-rw-r--    1 www-data www-data     5979 Nov 19  2000
> > > > > apache-access.log.14.gz
> > > > > -rw-rw-r--    1 www-data www-data    36771 Nov 18 06:23
> > > > > apache-access.log.2.gz
> > > > >
> > > > > It USED to be readable by all, now the persmissions have changed
> > > (which in
> > > > > my case screws up the webalizer processes run by users).
> > > > >
> > > > > Having a look at the changelog...
> > > > >
> > > > > apache (1.3.22-1) unstable; urgency=low
> > > > >   * Default ownership of logfiles is root/adm, perms 640
(closes:
> > > > >     #112675).
> > > > >
> > > > > Thats all nice a good... but how to I get it 644? I looked and
can't
> > > > > appear to find it. Closest thing I could find was in
> > > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the
file
> > > > > permissions of the logfiles.
> > > > >
> > > > > Any ideas?
> > > >
> > > > Run webalizer with permissions of group www-data and set
appropriate
> > > umask to
> > > > user www-data (may be to loogrotate daemon too).
> > > >
> > > > --
> > > > With Best Regards,
> > > > Denis A. Kulgeyko
> > > > DK666-UANIC
> > > > e-mail: burzum@bliss.com.ua
> > > > ICQ: 81607525
> > > > SMS: mburzum@bliss.com.ua
> > > > -================================-
> > > > UNIXes ... they are VERY friendly.
> > > > But .. they chooses their friends VERY carefully ... :)
> > > > ^]:wq!
> > > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > >
> > >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
Reply to: