Re: apache question
Thanks for this post. This is a change I needed to make. If you are
running a recent version of apache, the cron job can be fixed by editing
cron.conf in /etc/apache. Set the variable APACHE_CHOWN_LOGFILES to 0. Be
default it is 1.
Ernest Johanson
Web Systems Administrator
Fuller Theological Seminary
On Thu, 25 May 2000, Ethan Benson wrote:
> Date: Thu, 25 May 2000 20:07:10 -0800
> From: Ethan Benson <erbenson@alaska.net>
> To: Ian Zimmerman <itz@speakeasy.org>
> Cc: debian-user@lists.debian.org
> Subject: Re: apache question
>
> --sGwo475CiIwWEjLI
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: quoted-printable
>
> On Thu, May 25, 2000 at 08:25:08PM -0700, Ian Zimmerman wrote:
> >=20
> > Ethan> however one thing you should do on a debian system is chown
> > Ethan> /var/www to root and make sure its not group writable. also
> > Ethan> chown /var/log/apache/* to root.adm and make sure the
> > Ethan> permissions are 640 or 644. (you have to fix the apache cron
> > Ethan> jobs to not undo this change)
> >=20
> > Ethan> for some insane reason debian leaves the www-root owned by
> > Ethan> www-data.www-data (the same user debian runs apache as) along
> > Ethan> with the logs. this is totally wrong as the web server user
> > Ethan> should NOT own files or have any write permission to anything.
> > Ethan> if it does then all it takes is one of those unprivileged child
> > Ethan> processes to be exploited and your web site can be replaced and
> > Ethan> your logs can be removed. bad bad bad.
> >=20
Reply to: