httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] Opening ErrorLog as root and overwriting any file on the system
Date Thu, 24 Nov 2011 18:04:14 GMT


----- Original Message -----
> Hi Tom,
> 
> 
> thanks for the answer. It makes perfect sense.
> 
> 
> The solution I thought about is a bit more complex. I did not go
> through the Apache code, so below is just a sketch.
> 
> 
> seteuid(${APACHE_RUN_USER}); //drop privileges
> open(${ErrorLog}); //open file
> seteuid(0); // get back root privileges

That doesn't work. Once you drop privileges you cannot get them back.

> chown(${ErrorLog}, root, …); // change owner to root
> 
> 
> In this case, the ErrorLog will be opened and accessible as
> ${APACHE_RUN_USER} for only a brief moment of time, and after that
> it becomes owned by root. AFAIK, this solves the issue I raised. If
> I miss any point, please let me know.
> 
> 
> Best regards,
> Silviu
> 
> 
> 
> 
> 
> On Nov 24, 2011, at 17:52 , Tom Evans wrote:
> 
> 
> 
> On Thu, Nov 24, 2011 at 3:53 PM, silviu andrica
> < silviu.andrica@gmail.com > wrote:
> 
> 
> Hi,
> 
> 
> 
> 
> 
> I noticed that in Apache/2.2.20 (Ubuntu), the ErrorLog is opened as
> root,
> 
> 
> although the User is set to ${APACHE_RUN_USER}.
> 
> 
> My concern is that if I make a mistake in ErrorLog, then I can damage
> any
> 
> 
> file on my system because of a stupid copy-paste error.
> 
> 
> 
> 
> 
> I was wondering what is the reason Apache doesn't drop root
> privileges
> 
> 
> before opening the ErrorLog file (to make sure that the user Apache
> will end
> 
> 
> up running as can access and modify that file) and then get back the
> root
> 
> 
> privileges, for the remaining operations that need be done as root?
> 
> 
> 
> 
> This is by design to do the exact opposite of what you are
> suggesting.
> If it waited until it gave up it's root privileges, then the file
> would be owned/modifiable by the less privileged apache user, and
> could be removed or truncated by any web script or exploit. In
> general, it's a good idea that your log files are owned by root, just
> like your html content should only be readable, not modifiable, by
> the
> apache user.
> 
> Apache opens the file before forking, so non-root children will
> already have a file handle to the error log and will not have to open
> it again.
> 
> The trade off is against an admin accidentally writing something like
> 'ErrorLog /etc/master.passwd'.
> 
> Cheers
> 
> Tom
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message