httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: opening of log files and following links
Date Wed, 01 Jan 1997 01:14:46 GMT
One approach is to do what inn does.  There's a wrapper that opens port
119, then drops privs and execs the server with a -p fd argument to tell
it where its socket is. 

Dean

On Tue, 31 Dec 1996, Jim Jagielski wrote:

> Nathan Neulinger wrote:
> > 
> > At 7:02 PM -0600 12/31/96, Jim Jagielski wrote:
> > >Marc Slemko wrote:
> > >>
> > >> Currently mod_log_config (and others) will follow links when opening log
> > >> files for writing.  This means that anyone with write access to the
> > >> directory the logs are in can append arbitrary information to any file
> > >> writable by the uid that starts the server (normally root).
> > >>
> > >> Does anyone give users write access to directories that logs are
> > >> stored in?  I can see some people doing this for virtual hosts
> > >> where they don't care about using the logs for tracking usage.
> > >>
> > >
> > >Wouldn't it be better to open the log files _after_ the UID switch?
> > >I would vote for that as a safer solution. A warning should also
> > >be in the docs, but this is pretty serious when you think about
> > >it. Apache should setuid asap.
> > 
> > This would also have another benefit/effect of having the logs owned by
> > 'http' instead of 'root' when they get created.
> > 
> 
> >From a quick look at the code, it looks like error-log might need to
> be used before Apache can drop 'root'... Places like that it might
> be better to just printf-stderr.
> 
> -- 
> ====================================================================
>       Jim Jagielski            |       jaguNET Access Services
>      jim@jaguNET.com           |       http://www.jaguNET.com/
>                   "Not the Craw... the CRAW!"
> 


Mime
View raw message