httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security
Date Sat, 21 Sep 2002 21:59:58 GMT
On Sat, 21 Sep 2002, Marc Slemko wrote:

> On Sat, 21 Sep 2002, Rich Bowen wrote:
>
> >
> > =Apache security
>
> Two comments:
>
> 1. a lot of silly and futile restrictions here that don't do anything
> to improve security and only serve to make people do things as root
> more than they should have to.

OK, I'm confused. What here would you have to do as root that should not
be that way?

> 2. Your recommend permissions for the logs directory have a huge
> problem:
>
> > * Logs directory has some caveats
> >
> > * Standard log files are written as root (C<access_log> and C<error_log>)
> >
> > * Some other modules log as C<www.root>
> >
> > * So, here's the recommendation:
> >
> >     chown root.www logs
> >     chmod 770 logs
>
> This goes explicitly against what is documented in the current docs
> and allow anyone who compromises the "www" group to gain root access
> to the system.

Can you elaborate as to how that would happen?

The current docs say that the directory should be 755, which would
prevent ssl from logging. Or so I would have thought. Need to experiment
with that, I guess.

> Do not give the user or group the server runs as
> write permissions to the log directory if the server is started as
> root.

That's the way that it is now. SSL logs as the web server user, as does
mod_throttle, and mod_gzip. If you don't give that user access to write
to the log directory, these modules can't log.

> If you have some random module that wants to write a logfile as the
> user the webserver runs as, either put it in a different directory or
> precreate the file with permissions that let the module do so.

Well, I would hardly call mod_ssl "some random module". ;-) What
recommendations do you make for that?

-- 
Rich Bowen - rbowen@rcbowen.com
Author - Apache Administrator's Guide
http://www.ApacheAdmin.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message