httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: opening of log files and following links
Date Thu, 30 Jan 1997 00:02:02 GMT
Marc Slemko wrote:
> 
> Currently mod_log_config (and others) will follow links when opening log
> files for writing.  This means that anyone with write access to the
> directory the logs are in can append arbitrary information to any file
> writable by the uid that starts the server (normally root).
> 
> Does anyone give users write access to directories that logs are
> stored in?  I can see some people doing this for virtual hosts
> where they don't care about using the logs for tracking usage.
> 

Wouldn't it be better to open the log files _after_ the UID switch?
I would vote for that as a safer solution. A warning should also
be in the docs, but this is pretty serious when you think about
it. Apache should setuid asap.
-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
                  "Not the Craw... the CRAW!"

Mime
View raw message