httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Silviu Andrica <silviu.andr...@gmail.com>
Subject Re: [users@httpd] Opening ErrorLog as root and overwriting any file on the system
Date Thu, 24 Nov 2011 17:03:28 GMT
Hi Tom,

thanks for the answer. It makes perfect sense.

The solution I thought about is a bit more complex. I did not go through the Apache code,
so below is just a sketch.

seteuid(${APACHE_RUN_USER}); //drop privileges
open(${ErrorLog}); //open file
seteuid(0); // get back root privileges
chown(${ErrorLog}, root, …); // change owner to root

In this case, the ErrorLog will be opened and accessible as ${APACHE_RUN_USER} for only a
brief moment of time, and after that it becomes owned by root. AFAIK, this solves the issue
I raised. If I miss any point, please let me know.

Best regards,
Silviu


On Nov 24, 2011, at 17:52 , Tom Evans wrote:

> On Thu, Nov 24, 2011 at 3:53 PM, silviu andrica
> <silviu.andrica@gmail.com> wrote:
>> Hi,
>> 
>> I noticed that in Apache/2.2.20 (Ubuntu), the ErrorLog is opened as root,
>> although the User is set to ${APACHE_RUN_USER}.
>> My concern is that if I make a mistake in ErrorLog, then I can damage any
>> file on my system because of a stupid copy-paste error.
>> 
>> I was wondering what is the reason Apache doesn't drop root privileges
>> before opening the ErrorLog file (to make sure that the user Apache will end
>> up running as can access and modify that file) and then get back the root
>> privileges, for the remaining operations that need be done as root?
>> 
> 
> This is by design to do the exact opposite of what you are suggesting.
> If it waited until it gave up it's root privileges, then the file
> would be owned/modifiable by the less privileged apache user, and
> could be removed or truncated by any web script or exploit. In
> general, it's a good idea that your log files are owned by root, just
> like your html content should only be readable, not modifiable, by the
> apache user.
> 
> Apache opens the file before forking, so non-root children will
> already have a file handle to the error log and will not have to open
> it again.
> 
> The trade off is against an admin accidentally writing something like
> 'ErrorLog /etc/master.passwd'.
> 
> Cheers
> 
> Tom
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


Mime
View raw message