Hi Tom,
thanks for the answer. It makes perfect sense.
The solution I thought about is a bit more complex. I did not go through the
Apache code, so below is just a sketch.
seteuid(${APACHE_RUN_USER}); //drop privileges
open(${ErrorLog}); //open file
seteuid(0); // get back root privileges
chown(${ErrorLog}, root, …); // change owner to root
In this case, the ErrorLog will be opened and accessible as ${APACHE_RUN_USER}
for only a brief moment of time, and after that it becomes owned by root.
AFAIK, this solves the issue I raised. If I miss any point, please let me know.
Best regards,
Silviu
On Nov 24, 2011, at 17:52 , Tom Evans wrote:
> On Thu, Nov 24, 2011 at 3:53 PM, silviu andrica
> <[email protected]> wrote:
>> Hi,
>>
>> I noticed that in Apache/2.2.20 (Ubuntu), the ErrorLog is opened as root,
>> although the User is set to ${APACHE_RUN_USER}.
>> My concern is that if I make a mistake in ErrorLog, then I can damage any
>> file on my system because of a stupid copy-paste error.
>>
>> I was wondering what is the reason Apache doesn't drop root privileges
>> before opening the ErrorLog file (to make sure that the user Apache will end
>> up running as can access and modify that file) and then get back the root
>> privileges, for the remaining operations that need be done as root?
>>
>
> This is by design to do the exact opposite of what you are suggesting.
> If it waited until it gave up it's root privileges, then the file
> would be owned/modifiable by the less privileged apache user, and
> could be removed or truncated by any web script or exploit. In
> general, it's a good idea that your log files are owned by root, just
> like your html content should only be readable, not modifiable, by the
> apache user.
>
> Apache opens the file before forking, so non-root children will
> already have a file handle to the error log and will not have to open
> it again.
>
> The trade off is against an admin accidentally writing something like
> 'ErrorLog /etc/master.passwd'.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [email protected]
> " from the digest: [email protected]
> For additional commands, e-mail: [email protected]
>
