[Bug 55068] New: root permissions when writing to per vhosts errorlog (security)

bugzilla Thu, 06 Jun 2013 12:05:01 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=55068


            Bug ID: 55068
           Summary: root permissions when writing to per vhosts errorlog
                    (security)
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]

When writing to per vhost errorlog apache uses root permissions. To provide
errorlog to end user administrator can point this for exampe
<virtualhost ...>
errorlog /home/user/your_apache_log

now user does this
rm /home/user/your_apache_log
ln -s /bin/sh /home/user/your_apache_log
and waits for apache to restart sometimes later

now nobody can't login to server now since /bin/sh has been modified by apache
process. This is security issue.

1) Apache should not write to any logs using root permissions but permissions
specified in httpd.conf by User and Group
2) if there is SuexecUserGroup in vhost then per-dir errorlog should be writen
to using these permissions

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 55068] New: root permissions when writing to per vhosts errorlog (security)

Reply via email to