You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/10 06:56:08 UTC
Re: 1.3 veto ?
> On Fri, 10 Jan 1997, Chuck Murcko wrote:
>
> > Right now, it almost seems like we're in beta burnout. Bug fixes aren't
> > getting voted on, and there's no clear deadline for even the next beta.
> > 1.2 feels like it's starting to dissipate. That needs to change.
> > We can set the stage for 2.0 well, if we get 1.2 back on track.
>
> Lets start with a list of security things that I think are
> outstanding:
>
> - suexec fixes; anyone have any patches started?
Yes, Jason has a set of patches for all but the enviro fix. I'm
trying to find some time to nuke that one in the next couple days.
> - suexec doc improvements; I will try to suggest a patch for
> some of the stuff I think should be clarified if no one
> else gets there first.
> - logfile directory permissions warning; I sent off a
> suggested docs patch but got no response. If people don't
> like it, that's cool; SAY SOMETHING. This security risk
> needs to be documented somehow.
As I remember, it was fine. Today's little email flurry has left it
a bit buried....
> - snprintf changes; still some discussion needed about
> implementation, but I think most of that will come when a
> patch is submitted for discussion. I will try to do
> something ASAP.
>
1.2 buglist...
Posted by "Jason A. Dour" <ja...@bcc.louisville.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 9 Jan 1997, Randy Terbush wrote:
> > - suexec fixes; anyone have any patches started?
>
> Yes, Jason has a set of patches for all but the enviro fix. I'm
> trying to find some time to nuke that one in the next couple days.
Talk about head-aches! I still can't get my head around that
one... Oh well. The environment stuff should be the last of the suEXEC
issues for the time being.
> > - suexec doc improvements; I will try to suggest a patch for
> > some of the stuff I think should be clarified if no one
> > else gets there first.
I was going to try to get to that this weekend... I was gonna
comb over the current docs and update them for the current wrapper and
design and whatnot.
> > - logfile directory permissions warning; I sent off a
> > suggested docs patch but got no response. If people don't
> > like it, that's cool; SAY SOMETHING. This security risk
> > needs to be documented somehow.
>
> As I remember, it was fine. Today's little email flurry has left it
> a bit buried....
>
> > - snprintf changes; still some discussion needed about
> > implementation, but I think most of that will come when a
> > patch is submitted for discussion. I will try to do
> > something ASAP.
There's also the bug that has been reported twice regarding
<!--#include virtual="" --> not passing PATH_INFO but FILEPATH_INFO
instead. This should be a simple fix...but I'm swamped at the moment.
Can we get this fixed as well? Or is there some higher purpose I'm
missing? Just curious.
Jason
# Jason A. Dour <ja...@bcc.louisville.edu> 1101
# Programmer Analyst II; Department of Radiation Oncology; Univ. of Lou.
# Finger for URLs, PGP public key, geek code, PJ Harvey info, et cetera.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMtYTJZo1JaC71RLxAQEQqQP8DCx8A8icNU/L4aqRiJ2GMX6LO52t79p0
fHeJdaBNJf4k1dDi+IFMljY9na/8RClYKxIfVoaaLh+svzLowGhOO/uQYCbc4PvV
qmzJWzxrh/Yrv1OXhAKVf/AemX4hpvrAuY2EqkMj8e/Rr4SM4FON46WGUukW9IJ8
sKQW8ZtWslY=
=QDpp
-----END PGP SIGNATURE-----
Re: Security documentation
Posted by Ed Korthof <ed...@organic.com>.
+1 -- they look good to me.
On Thu, 9 Jan 1997, Brian Behlendorf wrote:
> On Thu, 9 Jan 1997, Marc Slemko wrote:
> > I made a small change in response to Jim's valid comment about "supported
> > directly by Apache"; thanks Jim for pointing that out. Included
> > below is an updated copy of my suggested additions to the docs.
>
> All these suggestions made sense to me. Anyone else want to +1 them so I can
> commit them?
>
> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
>
-- Ed Korthof | Web Server Engineer --
-- ed@organic.com | Organic Online, Inc --
-- (415) 278-5676 | Fax: (415) 284-6891 --
Security documentation
Posted by Brian Behlendorf <br...@organic.com>.
On Thu, 9 Jan 1997, Marc Slemko wrote:
> I made a small change in response to Jim's valid comment about "supported
> directly by Apache"; thanks Jim for pointing that out. Included
> below is an updated copy of my suggested additions to the docs.
All these suggestions made sense to me. Anyone else want to +1 them so I can
commit them?
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
Re: 1.3 veto ?
Posted by Marc Slemko <ma...@znep.com>.
On Thu, 9 Jan 1997, Randy Terbush wrote:
> > - logfile directory permissions warning; I sent off a
> > suggested docs patch but got no response. If people don't
> > like it, that's cool; SAY SOMETHING. This security risk
> > needs to be documented somehow.
>
> As I remember, it was fine. Today's little email flurry has left it
> a bit buried....
I made a small change in response to Jim's valid comment about "supported
directly by Apache"; thanks Jim for pointing that out. Included
below is an updated copy of my suggested additions to the docs.
Index: manual/invoking.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/invoking.html,v
retrieving revision 1.6
diff -c -r1.6 invoking.html
*** invoking.html 1996/12/12 01:09:39 1.6
--- invoking.html 1997/01/04 23:06:09
***************
*** 80,85 ****
--- 80,92 ----
and is <code>conf/mime.types</code> by default.
<h2>Log files</h2>
+ <h3>security warning</h3>
+ Anyone who can write to the directory where Apache is writing a
+ log file can almost certainly gain access to the uid that the server is
+ started as, which is normally root. Do <EM>NOT</EM> give people write
+ access to the directory the logs are stored in without being aware of
+ the consequences; see the <A HREF="misc/security_tips.html">security tips</A>
+ document for details.
<h3>pid file</h3>
On daemon startup, it saves the process id of the parent httpd process to
the file <code>logs/httpd.pid</code>. This filename can be changed with the
Index: manual/multilogs.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/multilogs.html,v
retrieving revision 1.2
diff -c -r1.2 multilogs.html
*** multilogs.html 1996/12/02 18:13:42 1.2
--- multilogs.html 1997/01/04 23:11:06
***************
*** 49,55 ****
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. <p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
--- 49,58 ----
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. Be aware that anyone who can write to
! the directory where a log file is written can gain access to the uid
! that starts the server. See the <A HREF="misc/security_tips.html">
! security tips</A> document for details.<p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
Index: manual/new_features_1_2.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/new_features_1_2.html,v
retrieving revision 1.20
diff -c -r1.20 new_features_1_2.html
*** new_features_1_2.html 1996/12/20 05:42:14 1.20
--- new_features_1_2.html 1997/01/04 23:14:16
***************
*** 97,103 ****
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format).
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
--- 97,108 ----
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format). If you have Apache
! write any logs to a directory which is writable by anyone other than
! the user that starts the server, see the <A HREF="misc/security_tips.html">
! security tips</A> document to be sure you aren't putting the security
! of your server at risk.
!
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
Index: manual/virtual-host.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/virtual-host.html,v
retrieving revision 1.8
diff -c -r1.8 virtual-host.html
*** virtual-host.html 1996/12/12 01:09:41 1.8
--- virtual-host.html 1997/01/04 23:36:45
***************
*** 130,135 ****
--- 130,143 ----
<P>
+ <EM>SECURITY:</EM> When specifying where to write log files, be aware
+ of some security risks which are present if anyone other than the
+ user that starts Apache has write access to the directory where they
+ are written. See the <A HREF="misc/security_tips.html">security
+ tips</A> document for details.
+
+ <P>
+
<H2>File Handle/Resource Limits:</H2>
When using a large number of Virtual Hosts, Apache may run out of available
file descriptors if each Virtual Host specifies different log files.
Index: manual/misc/security_tips.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.3
diff -c -r1.3 security_tips.html
*** security_tips.html 1996/11/26 05:36:42 1.3
--- security_tips.html 1997/01/10 06:25:57
***************
*** 15,20 ****
--- 15,32 ----
<HR>
+ <H2>Permissions on Log File Directories</H2>
+ <P>When Apache starts, it opens the log files as the user who started the
+ server before switching to the user defined in the
+ <a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
+ has write permission for the directory where any log files are
+ being written to can append pseudo-arbitrary data to any file on the
+ system which is writable to the user who starts Apache. Since the
+ server is normally started by root, you should <EM>NOT</EM> give anyone
+ write permission to the directory where logs are stored unless you
+ want them to have root access.
+ <P>
+ <HR>
<H2>Server Side Includes</H2>
<P>Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
***************
*** 54,68 ****
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
! conflict (accidentally or deliberately) with other scripts e.g. User A hates
! User B, so he writes a script to trash User B's CGI database.<P>
<HR>
- Please send any other useful security tips to
- <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
- <p>
- <HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
--- 66,81 ----
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
! conflict (accidentally or deliberately) with other scripts e.g.
! User A hates User B, so he writes a script to trash User B's CGI
! database. One program which can be used to allow scripts to run
! as different users is <A HREF="../suexec.html">suEXEC</A> which is
! included with Apache as of 1.2 and is called from special hooks in
! the Apache server code. Another popular way of doing this is with
! <A HREF="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</A>. <P>
<HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
***************
*** 84,89 ****
--- 97,108 ----
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
+
+ <HR>
+ <P>Please send any other useful security tips to
+ <A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
+ <p>
+ <HR>
<!--#include virtual="footer.html" -->
</BODY>
Index: manual/mod/core.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.27
diff -c -r1.27 core.html
*** core.html 1997/01/01 07:10:24 1.27
--- core.html 1997/01/04 23:24:57
***************
*** 391,397 ****
then it is assumed to be relative to the <A HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
--- 391,404 ----
then it is assumed to be relative to the <A HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p>
!
! SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
! document for details on why your security could be compromised if
! the directory where logfiles are stored is writable by anyone other
! than the user that starts the server.
!
! <p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
***************
*** 1213,1218 ****
--- 1220,1230 ----
then this can be accomplished with the <code>ifconfig alias</code>
command (if your OS supports it), or with kernel patches like <A
HREF="../misc/vif-info.html">VIF</A> (for SunOS(TM) 4.1.x)).<p>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
+ document for details on why your security could be compromised if
+ the directory where logfiles are stored is writable by anyone other
+ than the user that starts the server.
<p><strong>See also:</strong>
<A HREF="../virtual-host.html">Information on Virtual Hosts.
Index: manual/mod/mod_log_agent.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_agent.html,v
retrieving revision 1.2
diff -c -r1.2 mod_log_agent.html
*** mod_log_agent.html 1996/11/21 10:30:49 1.2
--- mod_log_agent.html 1997/01/04 23:38:32
***************
*** 40,45 ****
--- 40,51 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
Index: manual/mod/mod_log_common.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_common.html,v
retrieving revision 1.3
diff -c -r1.3 mod_log_common.html
*** mod_log_common.html 1996/11/26 06:03:26 1.3
--- mod_log_common.html 1997/01/04 23:39:05
***************
*** 82,87 ****
--- 82,93 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
Index: manual/mod/mod_log_config.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_config.html,v
retrieving revision 1.8
diff -c -r1.8 mod_log_config.html
*** mod_log_config.html 1996/12/22 04:05:16 1.8
--- mod_log_config.html 1997/01/04 23:39:44
***************
*** 162,167 ****
--- 162,174 ----
See the examples below.
<p>
+ <h2>Security Considerations</h2>
+
+ See the <A HREF="../misc/security_tips.html">security tips</A> document
+ for details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.
+ <p>
<h2>Directives</h2>
<ul>
Index: manual/mod/mod_log_referer.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_log_referer.html,v
retrieving revision 1.2
diff -c -r1.2 mod_log_referer.html
*** mod_log_referer.html 1996/11/21 10:30:50 1.2
--- mod_log_referer.html 1997/01/04 23:40:15
***************
*** 67,72 ****
--- 67,78 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
Index: manual/mod/mod_rewrite.html
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/htdocs/manual/mod/mod_rewrite.html,v
retrieving revision 1.3
diff -c -r1.3 mod_rewrite.html
*** mod_rewrite.html 1997/01/01 18:32:20 1.3
--- mod_rewrite.html 1997/01/04 23:33:03
***************
*** 151,156 ****
--- 151,162 ----
<tt>RewriteLog</tt> directive or use <tt>RewriteLogLevel 0</tt>!
</td></tr>
</table>
+ <P>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security
+ tips</A> document for details on why your security could be
+ compromised if the directory where logfiles are stored is writable
+ by anyone other than the user that starts the server. <P>
<p>
<b>Example:</b>