[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache question



On Thu, May 25, 2000 at 08:25:08PM -0700, Ian Zimmerman wrote:
> 
> Ethan> however one thing you should do on a debian system is chown
> Ethan> /var/www to root and make sure its not group writable.  also
> Ethan> chown /var/log/apache/* to root.adm and make sure the
> Ethan> permissions are 640 or 644.  (you have to fix the apache cron
> Ethan> jobs to not undo this change)
> 
> Ethan> for some insane reason debian leaves the www-root owned by
> Ethan> www-data.www-data (the same user debian runs apache as) along
> Ethan> with the logs.  this is totally wrong as the web server user
> Ethan> should NOT own files or have any write permission to anything.
> Ethan> if it does then all it takes is one of those unprivileged child
> Ethan> processes to be exploited and your web site can be replaced and
> Ethan> your logs can be removed. bad bad bad.
> 
> As for the document tree, I largely agree.  But as for the logs, don't
> the child servers need to write them, almost by definition?

no, the child processes do not write the log files, the parent does,
here is an apache setup on a redhat box, running www.linuxppc.org:

[eb@www eb]$ ps aux | grep httpd
eb       14908  0.0  0.1   784   212  p0 R    20:44   0:00 grep httpd
nobody   14610  0.0  6.0 12464  9728  ?  S    18:14   0:01 httpd
nobody   14718  0.0  1.2  2944  1956  ?  S    19:24   0:02 httpd
nobody   14738  0.0  1.2  2964  1992  ?  S    19:30   0:02 httpd
[snip]
nobody   14884  0.0  1.0  2872  1732  ?  S    20:37   0:00 httpd
nobody   14885  0.0  1.1  2852  1856  ?  S    20:37   0:00 httpd
nobody   14886  0.0  1.0  2796  1652  ?  S    20:37   0:00 httpd
root     18824  0.0  0.9  2772  1596  ?  S   May  2   0:11 httpd
[eb@www eb]$ ls -ld /var/log/httpd/
drwxr-xr-x   2 root     root         1024 May 21 04:02 /var/log/httpd/
[eb@www eb]$ ls -l /var/log/httpd/
total 119032
-rw-r--r--   1 root     root     48090120 May 25 20:44 access_log
-rw-r--r--   1 root     root      1267634 May 21 04:01 access_log.1.gz
-rw-r--r--   1 root     root     70740267 May  7 04:01 access_log.2
-rw-r--r--   1 root     root       434583 May 25 20:44 error_log
-rw-r--r--   1 root     root        20858 May 21 04:02 error_log.1.gz
-rw-r--r--   1 root     root       847416 May  7 04:02 error_log.2

the logs most certainly are being written to properly.  

all keeping the logs owned by the unpriviledged user seems to buy you
is a security hole.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgphqYghjrCqT.pgp
Description: PGP signature


Reply to: