Received: (qmail 20315 invoked by uid 2012); 20 Apr 1998 22:54:33 -0000 Message-Id: <19980420225433.20314.qmail@hyperreal.org> Date: 20 Apr 1998 22:54:33 -0000 From: Phil Rosenthal Reply-To: winter@villaweb.net To: apbugs@hyperreal.org Subject: Logfiles provide a big backdoor in apache v* X-Send-Pr-Version: 3.2 >Number: 2085 >Category: mod_log-any >Synopsis: Logfiles provide a big backdoor in apache v* >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Apr 20 17:10:01 PDT 1998 >Last-Modified: Tue May 5 20:34:58 PDT 1998 >Originator: winter@villaweb.net >Organization: >Release: ALL >Environment: Linux 2.0.33 GCC 2.7.2.3 Linux frozen.villaweb.net 2.0.33 #7 Sun Mar 29 06:19:26 EST 1998 i586 unknown >Description: I was trying to hack my box (just to see if/how others could), and I found a very big, and dangerous flaw... I had a logfiles directory for every user where they had all the standard Apache logs... >How-To-Repeat: ln -s /etc/passwd TransferLog I went and rehashed httpd (as root, sooner or later, all admins rehash webservers) killall -HUP httpd and, voila, I (as a regular user) now had write access to /etc/passwd you cant control what gets written, but, it is still very dangerous... >Fix: I also found a temporary fix, but I think there should be an option in apache where you control what user writes the logfile... I compiled the "rotatelogs" program (its in one of the apache source subdirs), and put it in /usr/bin I added a "htlogd" user, and chown'd the file to htlogd.htlogd, and made it suid, so it executes as user htlogd adduser htlogd ; chown htlogd.htlogd rotatelogs ; chmod 4700 rotatelogs I made all of the logfiles dirs owned by htlogd, and I changed all of the logfile lines in httpd.conf in this fasion: BEFORE --- TransferLog "/home/website.com/logfiles/TransferLog" AFTER --- TransferLog "|rotatelogs /home/website.com/logfiles/TransferLog 86400" It is a fairly good temporary fix... %0 >Audit-Trail: From: Marc Slemko To: Phil Rosenthal Cc: apbugs@hyperreal.org Subject: Re: mod_log-any/2085: Logfiles provide a big backdoor in apache v* Date: Mon, 20 Apr 1998 18:16:03 -0600 (MDT) On 20 Apr 1998, Phil Rosenthal wrote: > >Description: > I was trying to hack my box (just to see if/how others could), and I found > a very big, and dangerous flaw... > I had a logfiles directory for every user where they had all the standard > Apache logs... Note that this is not a bug and is well known and documented explicitly. I'm not sure that adding an option to have the logfiles written by a different user helps that much because the people who don't read the docs won't know about this open either. State-Changed-From-To: open-closed State-Changed-By: brian State-Changed-When: Tue May 5 20:34:58 PDT 1998 State-Changed-Why: As Marc says, this is documented. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]