httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: opening of log files and following links
Date Wed, 01 Jan 1997 00:14:12 GMT
On Tue, 31 Dec 1996, Jim Jagielski wrote:

> Marc Slemko wrote:
> > 
> > Currently mod_log_config (and others) will follow links when opening log
> > files for writing.  This means that anyone with write access to the
> > directory the logs are in can append arbitrary information to any file
> > writable by the uid that starts the server (normally root).
> > 
> > Does anyone give users write access to directories that logs are
> > stored in?  I can see some people doing this for virtual hosts
> > where they don't care about using the logs for tracking usage.
> > 
> Wouldn't it be better to open the log files _after_ the UID switch?
> I would vote for that as a safer solution. A warning should also
> be in the docs, but this is pretty serious when you think about
> it. Apache should setuid asap.

It is a safer solution, and I thought about it, but I think you
will find that things are done the current way on purpose.  It

	- log files that CGIs can't play with; if they were owned by the
	  user you setuid to, if you allow CGIs you have no reliable
	- lets any program you use in log files 
	  (eg. "TransferLog |/mydir/foobar") do things that the user
	  you setuid to shouldn't be able to; this is double edged,
	  and you do have to be _VERY_ careful with any program you
	  run there.  There is already a warning in the docs about
	- reduces the number of people who are too dumb to figure out
	  why the web server can't write to the logfiles if their
	  permissions are screwed up.

If you use suexec for all CGIs you may be able to live with opening
log files after you switch UIDs, but it still requires some thought.
However, I don't think there is a hope in hell of that happening.
It may be workable if Apache came configured by default to use one
uid for running the web server, and another uid for running all

I agree that it would be good to do something more than add a note to
the seldom-read-especially-for-upgrades documentation, but I'm not
sure how.  Perhaps a note in the release-notes wouldn't hurt either.

View raw message