httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <rum...@cord.dk>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Fri, 08 Jun 2012 10:24:10 GMT
On 06/08/2012 12:13 PM, Graham Leggett wrote:
> On 08 Jun 2012, at 12:16 AM, Daniel Ruggeri wrote:
>
>>> I share Williams concern that this makes mod_forensic potentially less 
>>> useful.
>>>
>>> Maybe making the forensic log mode 600 by default would be a better 
>>> idea?
>> Agreed as well. This module isn't enabled by default and is most likely
>> to be enabled by a user that knows what they are trying to accomplish.
>> To me, a clear and concise security warning in the documentation should
>> be all that is needed.
>>
>> IMO, having unadulterated logging capability is what makes
>> mod_dumpio/mod_log_forensic some of the most useful modules for
>> troubleshooting in a proxy/crashing scenario (respectively).
> +1.
>
> Regards,
> Graham
> --
>
+1 to that. We already have the same kind of warnings in place for
people setting up proxies, I see no reason why we can't do the same to
mod_log_forensic.
The module is, as the name says, for forensic logging, so it should be
expected that as much as possible is logged by default, and any special
considerations should be something you could change, but it shouldn't be
the default behaviour to not include this and that because it may be
potentially unsafe. We got bit by it, yes, but that was because we made
the logs available to people, and that's what we should warn about if
anything.

With regards,
Daniel.

Mime
View raw message