Hello Gunnar, On 24/08/2010, at 21:00, Gunnar Wolf wrote:
> I am following up on Debian bug report #586092: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586092 > > /var/log/cherokee/* is readable by www-data writeable by > www-data. User www-data should not have this access. > > And quickly verifying... Yes, Cherokee opens the log file after > dropping root privileges. Possibly it would be sensible for Cherokee > to open the logs before dropping privileges? (although that it could > be more dangerous, as Cherokee could be tricked, say, via a simple > symlink "attack" to write to the wrong file). > > What do you think on this user request? Frankly, having the Web user > not able to modify the webserver's log (i.e. to erase his own tracks > after attacking the server) sounds like a good thing. You are raising a very good point. Both situations are equally problematic actually. The bug report is right, it would be more secure if Cherokee opened log files before dropping its privileges. However, that would introduce a few other weaknesses into the equation: as you pointed, Cherokee could be tricked - many other servers suffered from this problem before, and we ought to have learnt the lesson by now. Besides, some functionality would be lost. For instance, a regular (unprivileged) Cherokee worker process could not reopen the logs files if they were rotated. So, even though I agree on the bug report, I do not know what we could do in order to fix it up at the same time that we don't loose functionality or we introduce new security issues. -- Octality http://www.octality.com/ _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
