Your message dated Wed, 22 Dec 2004 09:57:13 +0100 with message-id <[EMAIL PROTECTED]> and subject line Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure) has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 21 Dec 2004 22:07:06 +0000 >From [EMAIL PROTECTED] Tue Dec 21 14:07:06 2004 Return-path: <[EMAIL PROTECTED]> Received: from host81-134-51-163.in-addr.btopenworld.com (mail.haltyr.dejvice.czf) [81.134.51.163] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Cgs9p-0001zs-00; Tue, 21 Dec 2004 14:07:06 -0800 Received: by mail.haltyr.dejvice.czf (Postfix, from userid 1000) id 7439648EA; Tue, 21 Dec 2004 21:41:35 +0000 (GMT) Date: Tue, 21 Dec 2004 21:41:35 +0000 From: Jan Minar <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: apache: log directory should have same permissions as logfiles (possible information disclosure) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline User-Agent: Mutt/1.3.28i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. Thanks. Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2 (charmap=3DISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache w= ebse ii debconf 1.4.30.10 Debian configuration managemen= t sy ii dpkg 1.10.25 Package maintenance system for= Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie= s an ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Librari= es [ ii libexpat1 1.95.8-1 XML parsing C library - runtim= e li ii libmagic1 4.12-1 File type determination librar= y us ii logrotate 3.7-2 Log rotation utility ii mime-support 3.28-1 MIME files 'mime.types' & 'mai= lcap ii perl 5.8.4-3 Larry Wall's Practical Extract= ion=20 -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: [EMAIL PROTECTED] apache/server-name: localhost * apache/enable-suexec: false --=20 )^o-o^| jabber: [EMAIL PROTECTED] | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Min=E1=F8 irc: [EMAIL PROTECTED] --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFByJiO+uczK20Fa5cRApTVAJ9g/qNa4eq15MzbYAyz7eFZfcIj1QCfeMdu IFCwq8a7tfhwUkrmDGMuPzg= =igao -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j-- --------------------------------------- Received: (at 286740-done) by bugs.debian.org; 22 Dec 2004 08:57:37 +0000 >From [EMAIL PROTECTED] Wed Dec 22 00:57:37 2004 Return-path: <[EMAIL PROTECTED]> Received: from port49.ds1-van.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.141.114] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Ch2JN-0007Mi-00; Wed, 22 Dec 2004 00:57:37 -0800 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id 4DB78407D; Wed, 22 Dec 2004 09:57:33 +0100 (CET) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 01033-01-5; Wed, 22 Dec 2004 09:57:18 +0100 (CET) Received: from [192.168.1.6] (gordian.int.fabbione.net [192.168.1.6]) by trider-g7.fabbione.net (Postfix) with ESMTP id 4BA284059; Wed, 22 Dec 2004 09:57:13 +0100 (CET) Message-ID: <[EMAIL PROTECTED]> Date: Wed, 22 Dec 2004 09:57:13 +0100 From: Fabio Massimo Di Nitto <[EMAIL PROTECTED]> User-Agent: Mozilla Thunderbird 0.9 (X11/20041203) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jan Minar <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure) References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER, VALID_BTS_CONTROL autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: X-CrossAssassin-Score: 2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tag 286740 - security thanks Jan Minar wrote: | Package: apache | Version: 1.3.33-2 | Severity: minor | Tags: security | | Hi. | | /var/log/apache is world-readable, so users can e.g. check whether | certain operation triggered an error. And given that the error strings | are pretty standardized, they can guess what string has been added to | the logfile, judging by the number of bytes that was appended to the | log. | | As this is not very obvious to the system administrator, and as there is | no use of /var/log/apache directory being readable and searchable while | the files in it are not, apart from the information disclosure described | above, I think it should be chmod-ed 750, just as the logs in it are | chmod 640. | There is no point in such operation. If a user have a local account it also has at least a few other thousands options to make a DoS on apache. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFByTbnhCzbekR3nhgRAjcpAJjYDWj4Lt6SPsX9yqXmAvFFowgqAJ0dy+ef jieTMQIlkle65MZ3OxxICQ== =NWLS -----END PGP SIGNATURE-----