Bug#396452: marked as done (facilitate awstats access to log files)

[Debian Bug Tracking System]

Your message dated Mon, 14 Feb 2011 22:46:17 +0300
with message-id <AANLkTinTM=iao-hvgr5z-jqxum1mtg5+zcbtcg8sv...@mail.gmail.com>
and subject line Re: [Pkg-awstats-devel] Bug#396452: Bug#396452: Run cron 
script under root.
has caused the Debian Bug report #396452,
regarding facilitate awstats access to log files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
396452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=396452
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: awstats
Version: 6.5-2
Severity: normal

Simple workaround of security problem is run cron script as root. Thus
apache statistics will be easily parsed and resulted files will be created
as www-data visiable and usable from cgi script.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-amd64
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)

Versions of packages awstats depends on:
ii  perl [libstorable-perl]       5.8.8-6.1  Larry Wall's Practical Extraction 

Versions of packages awstats recommends:
pn  libnet-xwhois-perl            <none>     (no description available)

-- no debconf information

--- End Message ---

--- Begin Message ---

Hello,

Thank you for your report.  But running script with permissions of
root is a very bad idea.  By default, awstats doesn't run as root, but
as www-data.

There is a number of suggestions how to secure execution of the cron
job.  E.g., use dedicated user for this task.  See thread with subject
"RFC - cron-related stuff" in
http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/
It starts here:
http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/2009-March/000483.html

On Mon, Feb 14, 2011 at 10:27 PM, George Zarkadas
<georgios.zarka...@gmail.com> wrote:
> Package: awstats
> Version: 6.9~dfsg-1
> Severity: normal
>
> Hi, I use the ubuntu 9.10 distribution, which looking at the debian
> package's changelog should correspond to 6.9~dfsg-1 sources and faced
> the same problem.
>
> The workaround I have deviced to provide access to apache2 logs without
> running awstats as root, nor making the logs accessible to everyone is
> to:
>
> 1. Use a special user for the cron job that has the right to read the
> logs (ie belongs to the adm group). I was reluctant to create a new user
> myself, in fear of having a possible future conflict if I installed a
> package, so I chose `logcheck' which was already there; but the
> principle is the same for a brand new one also (to avoid a dependency).
>
> 2. Change ownership and permissions of awstats datadir (/var/lib/awstats
> in my case) to:
>
> user: logcheck
> group: www-data
> perms: rwxr-s---
>
> That way any log analyses created by the special cron job user (logcheck
> in my case) are available to awstats.pl cgi script for reading.
>
> I also changed the cron job, to allow it work both with the recommended
> by upstream authors way of managing multiple virtual hosts (create an
> awstats.virtualhostname.conf file) and the previous assumption that
> awstats.conf itself is customised.
>
> The modified `/etc/cron.d/awstats' script (the interesting part is the
> command) is included below:
>
> ----------------------------------------------------------------------
> 0,10,20,30,40,50 * * * * logcheck [ -x /usr/lib/cgi-bin/awstats.pl -a
> -d /etc/awstats -a -r /var/log/apache2/access.log ] && ( umask 022 ;
> ls /etc/awstats/awstats*.conf | sed -e 's_/etc/awstats/__' -e 's/.conf
> $//' -e 's_^\(awstats\.\)\(.*\)$_\2_' | xargs -I '@' --max-args=1
> --no-run-if-empty /usr/lib/cgi-bin/awstats.pl -config=@ -update
>>/dev/null )
> ----------------------------------------------------------------------
>
> The later does not directly associate with the log access problem, but
> it is IMHO a nice default to have.
>
> I hope the above will be useful.
>
> regards
> George Zarkadas
>
>
>
>
> _______________________________________________
> Pkg-awstats-devel mailing list
> pkg-awstats-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel
>

--- End Message ---