On Sat, 21 Sep 2002, Marc Slemko wrote: > On Sat, 21 Sep 2002, Rich Bowen wrote: > > > > > =Apache security > > Two comments: > > 1. a lot of silly and futile restrictions here that don't do anything > to improve security and only serve to make people do things as root > more than they should have to.
OK, I'm confused. What here would you have to do as root that should not be that way? > 2. Your recommend permissions for the logs directory have a huge > problem: > > > * Logs directory has some caveats > > > > * Standard log files are written as root (C<access_log> and C<error_log>) > > > > * Some other modules log as C<www.root> > > > > * So, here's the recommendation: > > > > chown root.www logs > > chmod 770 logs > > This goes explicitly against what is documented in the current docs > and allow anyone who compromises the "www" group to gain root access > to the system. Can you elaborate as to how that would happen? The current docs say that the directory should be 755, which would prevent ssl from logging. Or so I would have thought. Need to experiment with that, I guess. > Do not give the user or group the server runs as > write permissions to the log directory if the server is started as > root. That's the way that it is now. SSL logs as the web server user, as does mod_throttle, and mod_gzip. If you don't give that user access to write to the log directory, these modules can't log. > If you have some random module that wants to write a logfile as the > user the webserver runs as, either put it in a different directory or > precreate the file with permissions that let the module do so. Well, I would hardly call mod_ssl "some random module". ;-) What recommendations do you make for that? -- Rich Bowen - [EMAIL PROTECTED] Author - Apache Administrator's Guide http://www.ApacheAdmin.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
