[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The permissions of the apache2 log dir

On Sat, 02 Jun 2012 21:17:35 +0200, Titanus Eramius wrote:

> Last week i ran into the very restrictive folder permissions of the
> apache2 log dir. They where "drwxr-x--- root adm" but I changed them to
> "rwxr-xr-x root adm" so a unprivileged user may opdate webalizer[1] at
> night.

Uff... don't do that.

It's recommended to run webalizer from a cron job (or manually, but it 
has to be root who runs the task) but changing the Apache log directory 
permissions can lead to a security problem :-/

> That got me thinking (which I generally don't like...), does anyone know
> why the permissions are so strict, and is there a risk in the change
> I've made beside that everybody now may read the logs?

They are strict because they have to be so. 

If you need an unpriviledged user to run webalizer to manually update the 
web stats you better find a differenet way for doing it, for instance, by 
adding a secondary directory where to send the user logs with relaxed 
permission (only available for that user and password protected) or using/
configuring sudo to allow that user to run the webalizer binary so he can 
execute the script without altering the directory perms.



Reply to: