Hello, On Tue, Aug 24, 2010 at 11:08 PM, Alvaro Lopez Ortega <[email protected]> wrote: > Hello Gunnar, > > On 24/08/2010, at 21:00, Gunnar Wolf wrote: > >> I am following up on Debian bug report #586092: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586092 >> >> /var/log/cherokee/* is readable by www-data writeable by >> www-data. User www-data should not have this access. >> >> And quickly verifying... Yes, Cherokee opens the log file after >> dropping root privileges. Possibly it would be sensible for Cherokee >> to open the logs before dropping privileges? (although that it could >> be more dangerous, as Cherokee could be tricked, say, via a simple >> symlink "attack" to write to the wrong file). >> >> What do you think on this user request? Frankly, having the Web user >> not able to modify the webserver's log (i.e. to erase his own tracks >> after attacking the server) sounds like a good thing. > > You are raising a very good point. > > Both situations are equally problematic actually. The bug report is right, > it would be more secure if Cherokee opened log files before dropping its > privileges. > > However, that would introduce a few other weaknesses into the equation: as > you pointed, Cherokee could be tricked - many other servers suffered from > this problem before, and we ought to have learnt the lesson by now. Besides, > some functionality would be lost. For instance, a regular (unprivileged) > Cherokee worker process could not reopen the logs files if they were rotated. > > So, even though I agree on the bug report, I do not know what we could do in > order to fix it up at the same time that we don't loose functionality or we > introduce new security issues.
About two years ago (only?), when I started using Cherokee, I sent a message about this subject: http://thread.gmane.org/gmane.comp.web.cherokee.general/1898 -- Saludos: Antonio Pérez _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
