httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Opening ErrorLog as root and overwriting any file on the system
Date Thu, 24 Nov 2011 17:20:16 GMT
On Thu, Nov 24, 2011 at 5:03 PM, Silviu Andrica
<silviu.andrica@gmail.com> wrote:
> Hi Tom,
> thanks for the answer. It makes perfect sense.
> The solution I thought about is a bit more complex. I did not go through the
> Apache code, so below is just a sketch.
> seteuid(${APACHE_RUN_USER}); //drop privileges
> open(${ErrorLog}); //open file
> seteuid(0); // get back root privileges
> chown(${ErrorLog}, root, …); // change owner to root
> In this case, the ErrorLog will be opened and accessible
> as ${APACHE_RUN_USER} for only a brief moment of time, and after that it
> becomes owned by root. AFAIK, this solves the issue I raised. If I miss any
> point, please let me know.

<DevilsAdvocate>
What would it do when the file already exists and is owned by root? :)
</DevilsAdvocate>

It is hard to distinguish between "file owned by root, but we should
append to it" and "file owned by root and the admin made a mistake in
the conf file". The former is the usual case when starting a server
with pre-existing log files, the latter is the case you are trying to
avoid.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message