httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philip A. Prindeville" <phil...@enteka.com>
Subject Re: proxy logging ftp password
Date Sun, 07 Sep 1997 19:32:31 GMT
	Date: Sun, 7 Sep 1997 13:22:30 -0600 (MDT)
	From: Marc Slemko <marcs@worldgate.com>
	To: new-httpd@apache.org
	Subject: Re: proxy logging ftp password

	[ snip ]

	No it is not.  They should not and must not be.  If they are like that
	on your system, then your system is broken. 

Sorry, my mistake.  Should have checked before sounding off.  I forgot
that the files are created *before* apache does a setuid(), so in fact
the directory can be owned by anyone, and it doesn't even need to be
writable (as long as it isn't NFS mounted), since the files are opened
as root.

	First of, just because you own a directory doesn't mean you can chown
	the files in it.  Secondly, if the directory is writable by the user
	Apache runs as, you just gave away root on your system.

Explain.  We're talking about the logs directory, right?

	Nothing should be owned by or writable by the user Apache runs as unless
	it is unavoidable.

This is counter-intuitive.  You would think that you would want things
like the htdocs directory to be owned by apache and be mode 400
(assuming you don't want everyone on your system to see certain files
if they require authentication to access).

-Philip

Mime
View raw message