brian 97/01/10 00:24:06
Modified: htdocs/manual invoking.html multilogs.html
new_features_1_2.html virtual-host.html
htdocs/manual/misc security_tips.html
htdocs/manual/mod core.html mod_log_agent.html
mod_log_common.html mod_log_config.html
mod_log_referer.html mod_rewrite.html
Log:
Reviewed by: Chuck Murcko, Brian Behlendorf
Submitted by: Marc Slemko
Added documentation about security concerns with logging in Apache 1.2.
Revision Changes Path
1.7 +7 -0 apache/htdocs/manual/invoking.html
Index: invoking.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/invoking.html,v
retrieving revision 1.6
retrieving revision 1.7
diff -C3 -r1.6 -r1.7
*** invoking.html 1996/12/12 01:09:39 1.6
--- invoking.html 1997/01/10 08:23:44 1.7
***************
*** 80,85 ****
--- 80,92 ----
and is <code>conf/mime.types</code> by default.
<h2>Log files</h2>
+ <h3>security warning</h3>
+ Anyone who can write to the directory where Apache is writing a
+ log file can almost certainly gain access to the uid that the server is
+ started as, which is normally root. Do <EM>NOT</EM> give people write
+ access to the directory the logs are stored in without being aware of
+ the consequences; see the <A HREF="misc/security_tips.html">security
tips</A>
+ document for details.
<h3>pid file</h3>
On daemon startup, it saves the process id of the parent httpd process to
the file <code>logs/httpd.pid</code>. This filename can be changed with the
1.3 +4 -1 apache/htdocs/manual/multilogs.html
Index: multilogs.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/multilogs.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C3 -r1.2 -r1.3
*** multilogs.html 1996/12/02 18:13:42 1.2
--- multilogs.html 1997/01/10 08:23:45 1.3
***************
*** 49,55 ****
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. <p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
--- 49,58 ----
The first argument is the filename to log to. This is used
exactly like the argument to <code>TransferLog</code>, that is,
it is either a file as a full path or relative to the current
! server root, or |programname. Be aware that anyone who can write to
! the directory where a log file is written can gain access to the uid
! that starts the server. See the <A HREF="misc/security_tips.html">
! security tips</A> document for details.<p>
The format argument specifies a format for each line of the log file.
The options available for the format are exactly the same as for
1.22 +6 -1 apache/htdocs/manual/new_features_1_2.html
Index: new_features_1_2.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/new_features_1_2.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -C3 -r1.21 -r1.22
*** new_features_1_2.html 1997/01/05 09:01:42 1.21
--- new_features_1_2.html 1997/01/10 08:23:45 1.22
***************
*** 97,103 ****
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format).
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
--- 97,108 ----
versions of Apache is now standard, and has been enhanced to allow
logging of much more detail about the transaction, and can be used to
open <a href="multilogs.html">more than one log file</a> at once
! (each of which can have a different log format). If you have Apache
! write any logs to a directory which is writable by anyone other than
! the user that starts the server, see the <A HREF="misc/security_tips.html">
! security tips</A> document to be sure you aren't putting the security
! of your server at risk.
!
<li><b><a href="mod/mod_usertrack.html">User Tracking (Cookies)
Revisions</a></b><br>
1.9 +8 -0 apache/htdocs/manual/virtual-host.html
Index: virtual-host.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/virtual-host.html,v
retrieving revision 1.8
retrieving revision 1.9
diff -C3 -r1.8 -r1.9
*** virtual-host.html 1996/12/12 01:09:41 1.8
--- virtual-host.html 1997/01/10 08:23:46 1.9
***************
*** 130,135 ****
--- 130,143 ----
<P>
+ <EM>SECURITY:</EM> When specifying where to write log files, be aware
+ of some security risks which are present if anyone other than the
+ user that starts Apache has write access to the directory where they
+ are written. See the <A HREF="misc/security_tips.html">security
+ tips</A> document for details.
+
+ <P>
+
<H2>File Handle/Resource Limits:</H2>
When using a large number of Virtual Hosts, Apache may run out of available
file descriptors if each Virtual Host specifies different log files.
1.4 +25 -6 apache/htdocs/manual/misc/security_tips.html
Index: security_tips.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C3 -r1.3 -r1.4
*** security_tips.html 1996/11/26 05:36:42 1.3
--- security_tips.html 1997/01/10 08:23:54 1.4
***************
*** 15,20 ****
--- 15,32 ----
<HR>
+ <H2>Permissions on Log File Directories</H2>
+ <P>When Apache starts, it opens the log files as the user who started the
+ server before switching to the user defined in the
+ <a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
+ has write permission for the directory where any log files are
+ being written to can append pseudo-arbitrary data to any file on the
+ system which is writable to the user who starts Apache. Since the
+ server is normally started by root, you should <EM>NOT</EM> give anyone
+ write permission to the directory where logs are stored unless you
+ want them to have root access.
+ <P>
+ <HR>
<H2>Server Side Includes</H2>
<P>Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
***************
*** 54,68 ****
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
! conflict (accidentally or deliberately) with other scripts e.g. User A hates
! User B, so he writes a script to trash User B's CGI database.<P>
<HR>
- Please send any other useful security tips to
- <A HREF="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A>
- <p>
- <HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
--- 66,81 ----
deliberate or accidental.<p>
All the CGI scripts will run as the same user, so they have potential to
! conflict (accidentally or deliberately) with other scripts e.g.
! User A hates User B, so he writes a script to trash User B's CGI
! database. One program which can be used to allow scripts to run
! as different users is <A HREF="../suexec.html">suEXEC</A> which is
! included with Apache as of 1.2 and is called from special hooks in
! the Apache server code. Another popular way of doing this is with
! <A HREF="http://wwwcgi.umr.edu/~cgiwrap/";>CGIWrap</A>. <P>
<HR>
<H2>Stopping users overriding system wide settings...</H2>
<P>To run a really tight ship, you'll want to stop users from setting
***************
*** 84,89 ****
--- 97,108 ----
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
+
+ <HR>
+ <P>Please send any other useful security tips to
+ <A HREF="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A>
+ <p>
+ <HR>
<!--#include virtual="footer.html" -->
</BODY>
1.28 +13 -1 apache/htdocs/manual/mod/core.html
Index: core.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -C3 -r1.27 -r1.28
*** core.html 1997/01/01 07:10:24 1.27
--- core.html 1997/01/10 08:24:00 1.28
***************
*** 391,397 ****
then it is assumed to be relative to the <A
HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
--- 391,404 ----
then it is assumed to be relative to the <A
HREF="#serverroot">ServerRoot</A>.
Example:
<blockquote><code>ErrorLog /dev/null</code></blockquote>
! This effectively turns off error logging.<p>
!
! SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
! document for details on why your security could be compromised if
! the directory where logfiles are stored is writable by anyone other
! than the user that starts the server.
!
! <p><hr>
<A name="files"><h2><Files></h2></A>
<strong>Syntax:</strong> <Files <em>filename</em>>
***************
*** 1213,1218 ****
--- 1220,1230 ----
then this can be accomplished with the <code>ifconfig alias</code>
command (if your OS supports it), or with kernel patches like <A
HREF="../misc/vif-info.html">VIF</A> (for SunOS(TM) 4.1.x)).<p>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A>
+ document for details on why your security could be compromised if
+ the directory where logfiles are stored is writable by anyone other
+ than the user that starts the server.
<p><strong>See also:</strong>
<A HREF="../virtual-host.html">Information on Virtual Hosts.
1.3 +6 -0 apache/htdocs/manual/mod/mod_log_agent.html
Index: mod_log_agent.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_log_agent.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C3 -r1.2 -r1.3
*** mod_log_agent.html 1996/11/21 10:30:49 1.2
--- mod_log_agent.html 1997/01/10 08:24:01 1.3
***************
*** 40,45 ****
--- 40,51 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
1.4 +6 -0 apache/htdocs/manual/mod/mod_log_common.html
Index: mod_log_common.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_log_common.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C3 -r1.3 -r1.4
*** mod_log_common.html 1996/11/26 06:03:26 1.3
--- mod_log_common.html 1997/01/10 08:24:01 1.4
***************
*** 82,87 ****
--- 82,93 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
1.9 +7 -0 apache/htdocs/manual/mod/mod_log_config.html
Index: mod_log_config.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_log_config.html,v
retrieving revision 1.8
retrieving revision 1.9
diff -C3 -r1.8 -r1.9
*** mod_log_config.html 1996/12/22 04:05:16 1.8
--- mod_log_config.html 1997/01/10 08:24:02 1.9
***************
*** 162,167 ****
--- 162,174 ----
See the examples below.
<p>
+ <h2>Security Considerations</h2>
+
+ See the <A HREF="../misc/security_tips.html">security tips</A> document
+ for details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.
+ <p>
<h2>Directives</h2>
<ul>
1.3 +6 -0 apache/htdocs/manual/mod/mod_log_referer.html
Index: mod_log_referer.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_log_referer.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -C3 -r1.2 -r1.3
*** mod_log_referer.html 1996/11/21 10:30:50 1.2
--- mod_log_referer.html 1997/01/10 08:24:02 1.3
***************
*** 67,72 ****
--- 67,78 ----
run under the user who started httpd. This will be root if the server
was started by root; be sure that the program is secure.<p>
+ <strong>Security:</strong> See the <A
+ HREF="../misc/security_tips.html">security tips</A> document for
+ details on why your security could be compromised if the directory
+ where logfiles are stored is writable by anyone other than the user
+ that starts the server.<P>
+
This directive is provided for compatibility with NCSA 1.4.<p>
<!--#include virtual="footer.html" -->
1.4 +6 -0 apache/htdocs/manual/mod/mod_rewrite.html
Index: mod_rewrite.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_rewrite.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C3 -r1.3 -r1.4
*** mod_rewrite.html 1997/01/01 18:32:20 1.3
--- mod_rewrite.html 1997/01/10 08:24:03 1.4
***************
*** 151,156 ****
--- 151,162 ----
<tt>RewriteLog</tt> directive or use <tt>RewriteLogLevel 0</tt>!
</td></tr>
</table>
+ <P>
+
+ SECURITY: See the <A HREF="../misc/security_tips.html">security
+ tips</A> document for details on why your security could be
+ compromised if the directory where logfiles are stored is writable
+ by anyone other than the user that starts the server. <P>
<p>
<b>Example:</b>
