Received: (qmail 81058 invoked by uid 501); 2 Aug 2001 20:55:44 -0000 Message-Id: <20010802205544.81057.qmail@apache.org> Date: 2 Aug 2001 20:55:44 -0000 From: "Rüdiger" "Plüm" Reply-To: r.pluem@gmx.de To: submit@bugz.apache.org Subject: Logfiles are written as root, rotatelogs is started as root if apache is started by root X-Send-Pr-Version: 3.110 >Number: 8127 >Category: mod_log-any >Synopsis: Logfiles are written as root, rotatelogs is started as root if apache is started by root >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Thu Aug 02 14:00:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: r.pluem@gmx.de >Release: 1.3.12 and up >Organization: apache >Environment: Linux, Solaris probably all other Unix OS >Description: If apache is started by root as it is needed if you want to bind a priviliged port then all logfiles configured in Errorlog, Customlog and Transferlog directives are written by root. Even worse, if you use the pipe feature of these directives the programs that process the piped logdata are also running with uid 0. >How-To-Repeat: Obvious >Fix: Since it is basicly a bad thing running programs with uid 0 or writing files as root if it is not needed I would appreciate if could add either a directive or even better a command line option to httpd which allows to set the uid and the gid used for writing logfiles and for running programs that process the piped logdata. IMHO this would have the following advantages: 1. root can prevent symlink attacks to root owned files once and forever. 2. vulnerabilities in programs that are used to process piped logdata do not have very harmful impacts to the whole system. Since I am not a programer I can not suggest any patches for the apache sources. Sorry. Thanks in advance and kind regards Rüdiger Plüm >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]