Since I am not a Unix developer, can this security problem be overcome somehow or does this mean that I should #ifdef the code as NETWARE only?
Brad Brad Nicholes Senior Software Engineer Novell, Inc., a leading provider of Net business solutions http://www.novell.com >>> [EMAIL PROTECTED] Wednesday, February 27, 2002 1:34:46 PM >>> On Wed, 27 Feb 2002, Brad Nicholes wrote: > This patch adds the directives LogRotateDaily and LogRotateInterval > to the mod_log_config modules. These directives allow all of the custom > logs to be automatically rotated on either a daily basis or at a > specific interval. This patch is based on a previous patch that was > submitted by Bertrand Demiddelaer. > One of the problems that we have had on NetWare is the lack of a > way to automatically rotate the log files. NetWare is unable to use the > RotateLog utility due to the fact that the OS does not support pipes. > This patch is being submitted as a general patch rather than a NetWare > specific patch so that other platforms can take advantage of it if they > choose to. If there are objections to this patch I could submit it as a > NetWare only fix. If there are no objections, I would like to go ahead > and check it in. This patch is a major security problem on Unix, since you should not have your log files writable by the user apache runs as. They should only be writable by the user that starts Apache (normally root). This means child processes can not reopen logs. BTW, please try to include patches in the body of the message instead of as binary attachments. --- mod_log_config.c.org Wed Feb 27 12:59:20 2002 +++ mod_log_config.c Wed Feb 27 12:52:57 2002 @@ -231,6 +231,8 @@ array_header *config_logs; array_header *server_config_logs; table *formats; + int rotatedaily; + int rotateinterval; } multi_log_state; /* @@ -252,6 +254,7 @@ int outcnt; char outbuf[LOG_BUFSIZE]; #endif + time_t time_jump; } config_log_state; /* @@ -803,6 +806,39 @@ int len = 0; array_header *format; char *envar; + int log_fd; + + multi_log_state *mls = ap_get_module_config(r->server->module_config,&config_log_module); + + if ((mls->rotatedaily || mls->rotateinterval) && + (r->request_time>=cls->time_jump) && + (*cls->fname!='|') && (strcmp(cls->fname,"/dev/null") != 0)) { + char * fname; + struct tm *time_tmp; + + if (mls->rotatedaily) { + time_tmp=localtime(&(r->request_time)); + cls->time_jump=r->request_time+((60-time_tmp->tm_sec)+60*(59-time_tmp->tm_min)+3600*(23-time_tmp->tm_hour)); + } + else + cls->time_jump = r->request_time + (60*mls->rotateinterval); + + fname = ap_pstrcat(r->pool, + ap_server_root_relative(r->pool, cls->fname), + "-", + ap_ht_time(r->pool,r->request_time,"%Y%m%d%H%M",0), + NULL + ); + + if ((log_fd = open(fname, xfer_flags, xfer_mode)) < 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, r->server, + "could not open transfer log file %s.", fname); + } + else { + dup2 (log_fd, cls->log_fd); + close (log_fd); + } + } if (cls->fname == NULL) { return DECLINED; @@ -926,6 +962,8 @@ mls->default_format = NULL; mls->server_config_logs = NULL; mls->formats = ap_make_table(p, 4); + mls->rotatedaily = 0; + mls->rotateinterval = 0; ap_table_setn(mls->formats, "CLF", DEFAULT_LOG_FORMAT); return mls; @@ -942,6 +980,13 @@ multi_log_state *base = (multi_log_state *) basev; multi_log_state *add = (multi_log_state *) addv; + if (add->rotatedaily==0) { + add->rotatedaily=base->rotatedaily; + } + if (add->rotateinterval==0) { + add->rotateinterval=base->rotateinterval; + } + add->server_config_logs = base->config_logs; if (!add->default_format) { add->default_format_string = base->default_format_string; @@ -1025,6 +1070,34 @@ return add_custom_log(cmd, dummy, fn, "%{Cookie}n \"%r\" %t", NULL); } +static const char *set_rotate_log_daily(cmd_parms *cmd, void *dummy, int arg) +{ + multi_log_state *mls = ap_get_module_config(cmd->server->module_config, + &config_log_module); + + mls->rotatedaily = arg; + if (mls->rotatedaily) + mls->rotateinterval = 0; + return NULL; +} + +static const char *set_rotate_log_interval(cmd_parms *cmd, void *dummy, char *arg) +{ + multi_log_state *mls = ap_get_module_config(cmd->server->module_config, + &config_log_module); + int interval = 0; + + if (arg) + interval = atoi(arg); + + if (interval < 0) + return NULL; + + mls->rotatedaily = 0; + mls->rotateinterval = interval; + return NULL; +} + static const command_rec config_log_cmds[] = { {"CustomLog", add_custom_log, NULL, RSRC_CONF, TAKE23, @@ -1036,6 +1109,10 @@ "a log format string (see docs) and an optional format name"}, {"CookieLog", set_cookie_log, NULL, RSRC_CONF, TAKE1, "the filename of the cookie log"}, + {"LogRotateDaily", set_rotate_log_daily, NULL, RSRC_CONF, FLAG, + "rotate logs daily (On:Off)"}, + {"LogRotateInterval", set_rotate_log_interval, NULL, RSRC_CONF, TAKE1, + "rotate logs every NNN minutes"}, {NULL} }; @@ -1061,7 +1138,29 @@ cls->log_fd = ap_piped_log_write_fd(pl); } else { - char *fname = ap_server_root_relative(p, cls->fname); + char * fname; + struct tm *time_tmp; + time_t time_now; + multi_log_state *mls = ap_get_module_config(s->module_config,&config_log_module); + + if ((mls->rotatedaily || mls->rotateinterval)&&(*cls->fname!='|')&&(strcmp(cls->fname,"/dev/null") != 0)) { + time_now=time(NULL); + if (mls->rotatedaily) { + time_tmp=localtime(&time_now); + cls->time_jump=time_now+((60-time_tmp->tm_sec)+60*(59-time_tmp->tm_min)+3600*(23-time_tmp->tm_hour)); + } + else + cls->time_jump = time_now + (60*mls->rotateinterval); + fname = ap_pstrcat(p, + ap_server_root_relative(p, cls->fname), + "-", + ap_ht_time(p,time_now,"%Y%m%d%H%M",0), + NULL + ); + } else { + fname = ap_server_root_relative(p, cls->fname); + } + if ((cls->log_fd = ap_popenf(p, fname, xfer_flags, xfer_mode)) < 0) { ap_log_error(APLOG_MARK, APLOG_ERR, s, "could not open transfer log file %s.", fname);