httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Security
Date Sat, 21 Sep 2002 21:14:18 GMT
On Sat, 21 Sep 2002, Rich Bowen wrote:

>
> =Apache security

Two comments:

1. a lot of silly and futile restrictions here that don't do anything
to improve security and only serve to make people do things as root
more than they should have to.

2. Your recommend permissions for the logs directory have a huge
problem:

> * Logs directory has some caveats
>
> * Standard log files are written as root (C<access_log> and C<error_log>)
>
> * Some other modules log as C<www.root>
>
> * So, here's the recommendation:
>
>     chown root.www logs
>     chmod 770 logs

This goes explicitly against what is documented in the current docs
and allow anyone who compromises the "www" group to gain root access
to the system.  Do not give the user or group the server runs as
write permissions to the log directory if the server is started as
root.

If you have some random module that wants to write a logfile as the
user the webserver runs as, either put it in a different directory or
precreate the file with permissions that let the module do so.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message