https://issues.apache.org/bugzilla/show_bug.cgi?id=55068
Stefan Fritsch <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |enhancement --- Comment #1 from Stefan Fritsch <[email protected]> --- I disagree quite strongly here. Writing the logs as root prevents an attacker whith the ability to inject code into scripts from removing evidence from the log files. Writing the logs as the same user that processes requests is really a bad idea. An option to set the user/group for log files would be nice, though, therefore marking this as enhancement bug. I am not sure that this is easy to do in a portable way, though. Changing effective uid for opening the log files may make the parent process vulnerable to attacks with ptrace on some OSs. Note that you can already do this, at the expense of two additional processes per logfile: Create a logwrapper script: #!/bin/sh set -u exec su "$1" -c "exec cat >> $2" And then use this as a piped logger: CustomLog "| /usr/local/sbin/logwrapper loguser /home/loguser/logfile" combined -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
