httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: configfile_t.param
Date Tue, 02 Jun 1998 04:34:16 GMT


On Mon, 1 Jun 1998, Lou Langholtz wrote:

> It seems like we're loosing something here that we dont want to lose
> though. With all the hiding we should at least leave behind some
> method pointers with which we can get info on the configuration
> "objects" such as their type, and owner.

Owner makes no sense in many contexts.

> > I suspect that there's an entirely easier solution that isn't prone to
> > security problems.  If this is crud in ~user URLs then just use the
> > embedded user in the URL.  Otherwise it's probably crud under a
> > /blah/blah/docroot/user hierarchy (where user may be a domain name) and
> > you can compare against the uid of that file.  Without knowing a lot more
> > about your application I can't say.
> > 
> > Dean
> 
> The application is a module for logging on a per-directory basis.
> The way I've set it up, users get to see accesses as they're handled
> with all the per-hit relevant info possible in their own logs without
> seeing everyone elses hits.
> 
> So how would you suggest doing it instead of the way I've gone about
> describing? Certainly in the 1.3 line of apache this would be better
> rolled into the existing logging module than having a seperate module
> like it's currently. But what other mechanism besides using the htacces
> file would you suggest to enable any directory to configure logging for
> hits to files anywhere underneath it that could also be done by users
> securely?

Do you have some mapping from URL to user?  i.e. www.foobar.com/~user has
an obvious mapping.  Or if www.foobar.com's pages are handled under
/www/docroot/www.foobar.com/ then the mapping is to use the uid of
/www/docroot/www.foobar.com.  In general once you've got a mapping from
URL to user the rest is trivial.  Test that the user of the mapping is the
same as the user owning the directory containing the log file. 

Or better yet, don't let the users put logs in arbitrary places.  Put
Allow them to give a filename for a log only.  Then you could log
to ~$user/http_logs/$filename.

If your system uses user private groups (i.e. redhat, freebsd?), you
can simplify the security model even further by putting the logs in
/www/logs/$user/$filename.  Suppose httpd runs as www then the
perms are as follows:

    /www/logs			uid=www gid=whatever, mode=755
    /www/logs/$user		uid=www, gid=$user, mode=750
    /www/logs/$user/$filename	uid=www, gid=$user, mode=640

Then you don't need any sophisticated symlink checks.

Dean


Mime
View raw message