httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Agenda for 1.2b7
Date Wed, 29 Jan 1997 18:12:15 GMT
Marc Slemko wrote:
> 
> > 
> > > >     * do we want a half-hearted attempt at fixing logfile opening security
> > > >       holes?  
> > > 
> > > I'd prefer not... I think the current method of heavy documentation
> > > about the location of logfiles, and the actions to take, may be
> > > the less risky option.
> > 
> > Agreed.
> 
> On the same token, you can argue that by adding the checks we just make it
> a little bit harder for it to be exploited when people do it anyway and we
> don't have the change the position of saying "no, that's insecure".
> 

One check would be to make sure that the log directory is not owned
by root, but if it is, is not writable by world or group. Not a
very comprehensive test, but certainly gets the big one

-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
                  "Not the Craw... the CRAW!"

Mime
View raw message