httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Security
Date Sun, 22 Sep 2002 17:19:20 GMT
On Sat, 21 Sep 2002, Rich Bowen wrote:

> On Sat, 21 Sep 2002, Marc Slemko wrote:
>
> > On Sat, 21 Sep 2002, Rich Bowen wrote:
> >
> > >
> > > =Apache security
> >
> > Two comments:
> >
> > 1. a lot of silly and futile restrictions here that don't do anything
> > to improve security and only serve to make people do things as root
> > more than they should have to.
>
> OK, I'm confused. What here would you have to do as root that should not
> be that way?

Almost anything involving the server you are now requiring that
the user be root to do... running htpasswd, compiling modules that
use the include files, checking the logs, verifying how things are
setup in the conf file... the list goes on and on.  Restricting
permissions so everyone needs root to do anything and anyone who
has root has to be root all the time is unwise.

While some of that (eg. read access to the logs) are legitimate
for some shared systems where you don't want people doing that
(note that doesn't mean it would be a reasonable default),  others
(eg. access to run htpasswd) are completely futile and don't improve
security one bit.

>
> > 2. Your recommend permissions for the logs directory have a huge
> > problem:
> >
> > > * Logs directory has some caveats
> > >
> > > * Standard log files are written as root (C<access_log> and C<error_log>)
> > >
> > > * Some other modules log as C<www.root>
> > >
> > > * So, here's the recommendation:
> > >
> > >     chown root.www logs
> > >     chmod 770 logs
> >
> > This goes explicitly against what is documented in the current docs
> > and allow anyone who compromises the "www" group to gain root access
> > to the system.
>
> Can you elaborate as to how that would happen?
>

The logs are opened as root.

Symlinks are followed.

It is trivial to make Apache log a line containing user supplied input
since, umh, that is what logging is.

If you can append arbitrary input to any file on the system as root, there
are a lot of ways to compromise the system.

> The current docs say that the directory should be 755, which would
> prevent ssl from logging. Or so I would have thought. Need to experiment
> with that, I guess.
>
> > Do not give the user or group the server runs as
> > write permissions to the log directory if the server is started as
> > root.
>
> That's the way that it is now. SSL logs as the web server user, as does
> mod_throttle, and mod_gzip. If you don't give that user access to write
> to the log directory, these modules can't log.

As I already said directly below, if you have random modules that
insist for some reason on writing as the user the webserver runs
as (doing so is itself a security risk) then you need to precreate
those files with the proper permissions.

This isn't some random "I think things should be this way" statement,
it is a simple and documented fact that anyone who you give write
access to the logs directory can compromise the user that starts Apache,
in this case root.  Whatever requirements random modules have doesn't
change this, if they are broken they are broken.

>
> > If you have some random module that wants to write a logfile as the
> > user the webserver runs as, either put it in a different directory or
> > precreate the file with permissions that let the module do so.
>
> Well, I would hardly call mod_ssl "some random module". ;-) What
> recommendations do you make for that?

In Apache 2.0 mod_ssl doesn't seem to have its own logfile, in
Apache 1.3 it seems to open it as the user that apache is started by
(ie. root, in this case), so I'm not sure where the problem is here.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message