You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1997/01/05 00:58:34 UTC
doc patches for symlinked logfile warnings
Below is a patch which adds a bit about the consequences of having
directories where logfiles are stored writable by anyone other than
the user who starts the server; it adds a bit of an explaination to
the security tips page, and pointers to the security tips page from
anywhere where logfiles are talked about. Use 'em or laugh at them
and motivate yourself to write something better; either way I'm happy.
Perhaps something in the CHANGES file too, even though it isn't really
a change? That's probably around the only thing many people read
when upgrading.
Index: invoking.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/invoking.html,v
retrieving revision 1.6
diff -c -r1.6 invoking.html
*** invoking.html 1996/12/12 01:09:39 1.6
--- invoking.html 1997/01/04 23:06:09
***************
*** 80,85 ****
--- 80,92 ----
and is <code>conf/mime.types</code> by default.
<h2>Log files</h2>
+ <h3>security warning</h3>
+ Anyone who can write to the directory where Apache is writing a
+ log file can almost certainly gain access to the uid that the server is
+ started as, which is normally root. Do <EM>NOT</EM> give people write
+ access to the directory the logs are stored in without being aware of
+ the consequences; see the <A HREF="misc/security_tips.html">security tips</A>
+ document for details.
<h3>pid file</h3>
On daemon startup, it saves the process id of the parent httpd process to
the file <code>logs/httpd.pid</code>. This filename can be changed with the
Index: multilogs.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/multilogs.html,v
retrieving revision 1.2
diff -c -r1.2 multilogs.html
*** multilogs.html 1996/12/02 18:13:42 1.2
--- multilogs.html 1997/01/04 23:11:06
***************
*** 49,55 ****
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. <p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
--- 49,58 ----
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. Be aware that anyone who can write to
! the directory where a log file is written can gain access to the uid
! that starts the server. See the <A HREF="misc/security_tips.html">
! security tips</A> document for details.<p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
Index: new_features_1_2.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/new_features_1_2.html,v
retrieving revision 1.20
diff -c -r1.20 new_features_1_2.html
*** new_features_1_2.html 1996/12/20 05:42:14 1.20
--- new_features_1_2.html 1997/01/04 23:14:16
***************
*** 97,103 ****
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format).
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
--- 97,108 ----
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format). If you have Apache
! write any logs to a directory which is writable by anyone other than
! the user that starts the server, see the <A HREF="misc/security_tips.html">
! security tips</A> document to be sure you aren't putting the security
! of your server at risk.
!
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
Index: virtual-host.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/virtual-host.html,v
retrieving revision 1.8
diff -c -r1.8 virtual-host.html
*** virtual-host.html 1996/12/12 01:09:41 1.8
--- virtual-host.html 1997/01/04 23:36:45
***************
*** 130,135 ****
--- 130,143 ----
<P>
+ <EM>SECURITY:</EM> When specifying where to write log files, be aware
+ of some security risks which are present if anyone other than the
+ user that starts Apache has write access to the directory where they
+ are written. See the <A HREF="misc/security_tips.html">security
+ tips</A> document for details.
+
+ <P>
+
<H2>File Handle/Resource Limits:</H2>
When using a large number of Virtual Hosts, Apache may run out of available
file descriptors if each Virtual Host specifies different log files.
Index: misc/security_tips.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.3
diff -c -r1.3 security_tips.html
*** security_tips.html 1996/11/26 05:36:42 1.3
--- security_tips.html 1997/01/04 23:52:22
***************
*** 15,20 ****
--- 15,32 ----
<HR>
+ <H2>Permissions on Log File Directories</H2>
+ <P>When Apache starts, it opens the log files as the user who started the
+ server before switching to the user defined in the
+ <a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
+ has write permission for the directory where any log files are
+ being written to can append pseudo-arbitrary data to any file on the
+ system which is writable to the user who starts Apache. Since the
+ server is normally started by root, you should <EM>NOT</EM> give anyone
+ write permission to the directory where logs are stored unless you
+ want them to have root access.
+ <P>
+ <HR>
<H2>Server Side Includes</H2>
<P>Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
***************
*** 55,68 ****
All the CGI scripts will run as the same user, so they have potential to
conflict (accidentally or deliberately) with other scripts e.g. User A hates
! User B, so he writes a script to trash User B's CGI database.<P>
<HR>
- Please send any other useful security tips to
- <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
- <p>
- <HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
--- 67,80 ----
All the CGI scripts will run as the same user, so they have potential to
conflict (accidentally or deliberately) with other scripts e.g. User A hates
! User B, so he writes a script to trash User B's CGI database. One
! program which can be used to allow scripts to run as different users is
! <A HREF="../suexec.html">suEXEC</A> which is supported directly by
! Apache. Another popular way of doing this is with
! <A HREF="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</A>. <P>
<HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
***************
*** 84,89 ****
--- 96,107 ----
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
+
+ <HR>
+ <P>Please send any other useful security tips to
+ <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
+ <p>
+ <HR>
<!--#include virtual="footer.html" -->
</BODY>
Index: mod/core.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.27
diff -c -r1.27 core.html
*** core.html 1997/01/01 07:10:24 1.27
--- core.html 1997/01/04 23:24:57
***************
*** 391,397 ****
then it is assumed to be relative to the <A HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
--- 391,404 ----
then it is assumed to be relative to the <A HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p>
!
! SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
! document for details on why your security could be compromised if
! the directory where logfiles are stored is writable by anyone other
! than the user that starts the server.
!
! <p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
***************
*** 1213,1218 ****
--- 1220,1230 ----
then this can be accomplished with the <code>ifconfig alias</code>
command (if your OS supports it), or with kernel patches like <A
HREF="../misc/vif-info.html">VIF</A> (for SunOS(TM) 4.1.x)).<p>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
+ document for details on why your security could be compromised if
+ the directory where logfiles are stored is writable by anyone other
+ than the user that starts the server.
<p><strong>See also:</strong>
<A HREF="../virtual-host.html">Information on Virtual Hosts.
Index: mod/mod_log_agent.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_agent.html,v
retrieving revision 1.2
diff -c -r1.2 mod_log_agent.html
*** mod_log_agent.html 1996/11/21 10:30:49 1.2
--- mod_log_agent.html 1997/01/04 23:38:32
***************
*** 40,45 ****
--- 40,51 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
Index: mod/mod_log_common.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_common.html,v
retrieving revision 1.3
diff -c -r1.3 mod_log_common.html
*** mod_log_common.html 1996/11/26 06:03:26 1.3
--- mod_log_common.html 1997/01/04 23:39:05
***************
*** 82,87 ****
--- 82,93 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
Index: mod/mod_log_config.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_config.html,v
retrieving revision 1.8
diff -c -r1.8 mod_log_config.html
*** mod_log_config.html 1996/12/22 04:05:16 1.8
--- mod_log_config.html 1997/01/04 23:39:44
***************
*** 162,167 ****
--- 162,174 ----
See the examples below.
<p>
+ <h2>Security Considerations</h2>
+
+ See the <A HREF="../misc/security_tips.html">security tips</A> document
+ for details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.
+ <p>
<h2>Directives</h2>
<ul>
Index: mod/mod_log_referer.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_referer.html,v
retrieving revision 1.2
diff -c -r1.2 mod_log_referer.html
*** mod_log_referer.html 1996/11/21 10:30:50 1.2
--- mod_log_referer.html 1997/01/04 23:40:15
***************
*** 67,72 ****
--- 67,78 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
Index: mod/mod_rewrite.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_rewrite.html,v
retrieving revision 1.3
diff -c -r1.3 mod_rewrite.html
*** mod_rewrite.html 1997/01/01 18:32:20 1.3
--- mod_rewrite.html 1997/01/04 23:33:03
***************
*** 151,156 ****
--- 151,162 ----
<tt>RewriteLog</tt> directive or use <tt>RewriteLogLevel 0</tt>!
</td></tr>
</table>
+ <P>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security
+ tips</A> document for details on why your security could be
+ compromised if the directory where logfiles are stored is writable
+ by anyone other than the user that starts the server. <P>
<p>
<b>Example:</b>