----- Original Message -----
> Hi Tom,
>
>
> thanks for the answer. It makes perfect sense.
>
>
> The solution I thought about is a bit more complex. I did not go
> through the Apache code, so below is just a sketch.
>
>
> seteuid(${APACHE_RUN_USER}); //drop privileges
> open(${ErrorLog}); //open file
> seteuid(0); // get back root privileges
That doesn't work. Once you drop privileges you cannot get them back.
> chown(${ErrorLog}, root, …); // change owner to root
>
>
> In this case, the ErrorLog will be opened and accessible as
> ${APACHE_RUN_USER} for only a brief moment of time, and after that
> it becomes owned by root. AFAIK, this solves the issue I raised. If
> I miss any point, please let me know.
>
>
> Best regards,
> Silviu
>
>
>
>
>
> On Nov 24, 2011, at 17:52 , Tom Evans wrote:
>
>
>
> On Thu, Nov 24, 2011 at 3:53 PM, silviu andrica
> < silviu.andrica@xxxxxxxxx > wrote:
>
>
> Hi,
>
>
>
>
>
> I noticed that in Apache/2.2.20 (Ubuntu), the ErrorLog is opened as
> root,
>
>
> although the User is set to ${APACHE_RUN_USER}.
>
>
> My concern is that if I make a mistake in ErrorLog, then I can damage
> any
>
>
> file on my system because of a stupid copy-paste error.
>
>
>
>
>
> I was wondering what is the reason Apache doesn't drop root
> privileges
>
>
> before opening the ErrorLog file (to make sure that the user Apache
> will end
>
>
> up running as can access and modify that file) and then get back the
> root
>
>
> privileges, for the remaining operations that need be done as root?
>
>
>
>
> This is by design to do the exact opposite of what you are
> suggesting.
> If it waited until it gave up it's root privileges, then the file
> would be owned/modifiable by the less privileged apache user, and
> could be removed or truncated by any web script or exploit. In
> general, it's a good idea that your log files are owned by root, just
> like your html content should only be readable, not modifiable, by
> the
> apache user.
>
> Apache opens the file before forking, so non-root children will
> already have a file handle to the error log and will not have to open
> it again.
>
> The trade off is against an admin accidentally writing something like
> 'ErrorLog /etc/master.passwd'.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|