httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: symlinks and logfiles
Date Sun, 05 Jan 1997 08:39:18 GMT
On Sun, 5 Jan 1997, Dean Gaudet wrote:

> Ewww! :)  It sucks to "lose" your logfile if there's a system failure
> between the mv to logs/foo and the mv back.  What if you just hardlink
> into logs/foo.  Of course then you run into the problem that on some
> systems a hardlink of a symlink gets the destination of the link, and on
> others it gets the symlink itself.

You can have apache detect an aborted attempt when it next starts, and fix
things up.  There is very minimal risk during the mv (which is actually
just a rename(), which is atomic (at least under BSD)) so apache should be
able to recover. 

I think there are also some race conditions with my suggestion WRT pulling
the entire directory tree out from under the process after it moves the
log into the temp directory, but those should only result in the logfile
ending up in the wrong place.

> 
> Another option, equally pointless considering we've agreed people won't
> read the docs, is to have a wwwlog user who has write perms in the log
> directory.  Then become that user to open the logs, and return to root
> before becoming the www user.
> 
> Could the same thing be done by becoming www but group wwwlogs, then
> removing that group before forking the children?

You could make that work, but it is too complicated (for the user) and
without ACLs, people often need the one group permission they have on a
directory for something else.  And people don't read the docs. 

> 
> Dean
> 
> On Sun, 5 Jan 1997, Marc Slemko wrote:
> 
> > I think the following should be a safe way of opening logfiles.  Since
> > we have no way to do a check and open atomically, we need to make sure
> > that no one else can play with the file between the check and open.
> > This can be accomplished by creating a mode 600 directory and
> > temporarily moving the logfile into there.
> > 
> > In mixed-pseudocode:
> > 	if (mkdir("logs/foo")) whine;
> > 	chmod logs/foo 600
> > 	-f logs/logfile && mv logs/logfile logs/foo/logfile
> > 	# check logs/foo/logfile to see if it is a link, etc.
> > 	fd = open("logs/foo/logfile", ...)
> > 	mv logs/foo/logfile logs/logfile
> > 	rmdir("logs/foo");
> > 
> > Now the only race condition (I think) is if someone tries reading the
> > logfile before it is moved back, it will fail but that shouldn't be a
> > huge deal.  
> > 
> > It is ugly though and I'm not sure it is worth implementing.
> > 
> > 
> 


Mime
View raw message