Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 8936 invoked by uid 6000); 2 Jun 1998 04:23:25 -0000
Received: (qmail 8928 invoked from network); 2 Jun 1998 04:23:24 -0000
Received: from twinlark.arctic.org (204.62.130.91)
  by taz.hyperreal.org with SMTP; 2 Jun 1998 04:23:24 -0000
Received: (qmail 26094 invoked by uid 500); 2 Jun 1998 04:34:16 -0000
Date: Mon, 1 Jun 1998 21:34:16 -0700 (PDT)
From: Dean Gaudet <dgaudet@arctic.org>
To: new-httpd@apache.org
Subject: Re: configfile_t.param
In-Reply-To: <199806020135.TAA10095@eden.chpc.utah.edu>
Message-ID: <Pine.LNX.3.96dg4.980601203752.2714F-100000@twinlark.arctic.org>
X-Comment: Visit http://www.arctic.org/~dgaudet/legal for information
 regarding copyright and disclaimer.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org



On Mon, 1 Jun 1998, Lou Langholtz wrote:

> It seems like we're loosing something here that we dont want to lose
> though. With all the hiding we should at least leave behind some
> method pointers with which we can get info on the configuration
> "objects" such as their type, and owner.

Owner makes no sense in many contexts.

> > I suspect that there's an entirely easier solution that isn't prone to
> > security problems.  If this is crud in ~user URLs then just use the
> > embedded user in the URL.  Otherwise it's probably crud under a
> > /blah/blah/docroot/user hierarchy (where user may be a domain name) and
> > you can compare against the uid of that file.  Without knowing a lot more
> > about your application I can't say.
> > 
> > Dean
> 
> The application is a module for logging on a per-directory basis.
> The way I've set it up, users get to see accesses as they're handled
> with all the per-hit relevant info possible in their own logs without
> seeing everyone elses hits.
> 
> So how would you suggest doing it instead of the way I've gone about
> describing? Certainly in the 1.3 line of apache this would be better
> rolled into the existing logging module than having a seperate module
> like it's currently. But what other mechanism besides using the htacces
> file would you suggest to enable any directory to configure logging for
> hits to files anywhere underneath it that could also be done by users
> securely?

Do you have some mapping from URL to user?  i.e. www.foobar.com/~user has
an obvious mapping.  Or if www.foobar.com's pages are handled under
/www/docroot/www.foobar.com/ then the mapping is to use the uid of
/www/docroot/www.foobar.com.  In general once you've got a mapping from
URL to user the rest is trivial.  Test that the user of the mapping is the
same as the user owning the directory containing the log file. 

Or better yet, don't let the users put logs in arbitrary places.  Put
Allow them to give a filename for a log only.  Then you could log
to ~$user/http_logs/$filename.

If your system uses user private groups (i.e. redhat, freebsd?), you
can simplify the security model even further by putting the logs in
/www/logs/$user/$filename.  Suppose httpd runs as www then the
perms are as follows:

    /www/logs			uid=www gid=whatever, mode=755
    /www/logs/$user		uid=www, gid=$user, mode=750
    /www/logs/$user/$filename	uid=www, gid=$user, mode=640

Then you don't need any sophisticated symlink checks.

Dean