Olaf Meeuwissen said: > The following are world readable on my rather spartan system: > > /var/log/apache/access.log* > /var/log/apache/error.log*
If you have not already done so, I suggest that you file this as a bug. (If you don't know how, just install the 'bug' package and issue the command "bug apache".) Any HTTP-based software which submits information using GET requests instead of POST will have that information written into access.log. In that situation, a world-readable log is a Very Bad Thing, as the information is likely to include passwords (possibly encrypted, but, for counterfeit web access, that doesn't matter) and other sensitive information. I just did the following: chgrp adm /var/log/apache/* chmod o-r /var/log/apache/* /etc/init.d/apache restart and my install of apache now appears to be able to log properly without requiring the logs to be world-readable. I'll just have to check tomorrow to see whether logrotate preserves these settings automagically or if tomorrow's new logs are created with the old permissions. -- "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+
