Re: Strange apache behaviour? (solved)
I know about that option... but it doesn't CHMOD... it only chowns. - Original Message - From: "Bob Billson" <[EMAIL PROTECTED]> To: Sent: Sunday, December 09, 2001 11:58 AM Subject: Re: Strange apache behaviour? (solved) > On Sun, Dec 09, 2001 at 08:05:17AM +1100, Jason Lim wrote: > > Perhaps Johnie could make this an optional setting in > > /etc/apache/cron.conf or something like that...? > > There is: > > .# Whether to chown logfiles to the user/group Apache runs as. > APACHE_CHOWN_LOGFILES=0 > ^^ This should be 0 *not* 1, which I think is Debian's > default. > > This is used by /etc/cron.daily/apache. The server logs should root.adm or > root.root with 640 permissions. Having the same that runs the server > owner/group write permissions to the logs is asking for trouble. Nor > should the world normally be able to look them. > > bob > -- > bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) > [EMAIL PROTECTED] beekeeper -8|||} > "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Strange apache behaviour? (solved)
I know about that option... but it doesn't CHMOD... it only chowns. - Original Message - From: "Bob Billson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, December 09, 2001 11:58 AM Subject: Re: Strange apache behaviour? (solved) > On Sun, Dec 09, 2001 at 08:05:17AM +1100, Jason Lim wrote: > > Perhaps Johnie could make this an optional setting in > > /etc/apache/cron.conf or something like that...? > > There is: > > .# Whether to chown logfiles to the user/group Apache runs as. > APACHE_CHOWN_LOGFILES=0 > ^^ This should be 0 *not* 1, which I think is Debian's > default. > > This is used by /etc/cron.daily/apache. The server logs should root.adm or > root.root with 640 permissions. Having the same that runs the server > owner/group write permissions to the logs is asking for trouble. Nor > should the world normally be able to look them. > > bob > -- > bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) > [EMAIL PROTECTED] beekeeper -8|||} > "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange apache behaviour? (solved)
On Sun, Dec 09, 2001 at 08:05:17AM +1100, Jason Lim wrote: > Perhaps Johnie could make this an optional setting in > /etc/apache/cron.conf or something like that...? There is: .# Whether to chown logfiles to the user/group Apache runs as. APACHE_CHOWN_LOGFILES=0 ^^ This should be 0 *not* 1, which I think is Debian's default. This is used by /etc/cron.daily/apache. The server logs should root.adm or root.root with 640 permissions. Having the same that runs the server owner/group write permissions to the logs is asking for trouble. Nor should the world normally be able to look them. bob -- bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) [EMAIL PROTECTED] beekeeper -8|||} "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \)
Re: building custom kernel package
On Tue, Oct 16, 2001 at 02:18:40PM +0200, Russell Coker wrote: Hi Russell, > I've written some scripts to help manage this. I've attached two scripts for > inclusion in /etc/mkinitrd/scripts directory (make sure you don't run the > devfs script in any other way), and the mkinitrd.conf file I use. With that > and the correct /etc/mkinitrd/modules file it should all work fine. I tried the copy-needed-modules script and it choked on my setup at the following module: blkmtd device=/dev/ide/host0/bus1/target0/lun0/disc/part2 erasesz=8 The following patch helps to get the blkmtd module included with the initrd image. --- /root/mkinitrd/scripts/copy-needed-modules Sat Dec 8 16:25:12 2001 +++ copy-needed-modules Sat Dec 8 16:38:23 2001 @@ -22,7 +22,9 @@ open(MODULES, "grep -v ^# /etc/mkinitrd/modules | grep .|") or die "Can't open modules"; while() { - chomp; + # chomp; + $_ =~ /^((\w|-)+)/; + $_ = $1; foreach my $n ($names{$_}, split('\t', $deps{$names{$_}}) ) { if(length($n) > 0) Regards. Bao -- Bao C. Havoice: (310) 922-0137 8D66 6672 7A9B 6879 85CD 42E0 9F6C 7908 ED95 6B38 Primary Perpetrator of "Slackware Linux Unleashed"
Re: Strange apache behaviour? (solved)
Thanks... The lines to change are: do if [ -f $LOG ] then if [ "$APACHE_CHOWN_LOGFILES" = "1" ] then savelog -c $APACHE_OLD_LOGS -m 640 -u $USR -g $GRP \ $LOG > /dev/null else savelog -c $APACHE_OLD_LOGS -m 640 -u root -g adm \ $LOG > /dev/null fi fi done changing 640 to 644. This should work... will wait a few days to make sure there are no side-effects to this. Perhaps Johnie could make this an optional setting in /etc/apache/cron.conf or something like that...? Sincerely, Jas - Original Message - From: "Peter Billson" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Cc: Sent: Sunday, December 09, 2001 9:31 AM Subject: Re: Strange apache behaviour? > Jason, > Apaches log file ownership and permissions are set when they rotate in > /etc/cron.daily/apache (about line 90 or so). As pointed out there are > security issues to worry about so be careful. > > Pete > -- > http://www.elbnet.com > ELB Internet Services, Inc. > Web Design, Computer Consulting, Internet Hosting > > > Jason Lim wrote: > > > > Anyone figured out my apache problem (log file permissions)? > > > > I still haven't figured this one out yet. > > > > TIA, > > > > Jas > > > > - Original Message - > > From: "Jason Lim" <[EMAIL PROTECTED]> > > To: > > Sent: Saturday, December 08, 2001 1:52 AM > > Subject: Re: Strange apache behaviour? > > > > > Thats not very good security-wise to run webalizer as www-data, because > > if > > > a user ever finds a way to poison the log files, then webalizer will run > > > them as www-data, and possibly be able to fool around with apache too > > > (because they now run as the same user). > > > > > > A far better way (and much more direct) would be to have a way to change > > > apache's log files BACK to the previous permissions. > > > > > > I think if no one knows the answer i'll have to ask netgod himself... (i > > > think he is still the package maintainer?) > > > > > > Sincerely, > > > Jason > > > > > > - Original Message - > > > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > > > To: "Jason Lim" <[EMAIL PROTECTED]> > > > Sent: Friday, December 07, 2001 9:10 PM > > > Subject: Re: Strange apache behaviour? > > > > > > > > > > Hello ! > > > > > > > > > Do you know how to change the permissions of the log files apache > > > > > generates? > > > > > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > > > apache-access.log > > > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > > > apache-access.log.0 > > > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > > > apache-access.log.1.gz > > > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > > > apache-access.log.10.gz > > > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > > > apache-access.log.11.gz > > > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > > > apache-access.log.12.gz > > > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > > > apache-access.log.13.gz > > > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > > > apache-access.log.14.gz > > > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > > > apache-access.log.2.gz > > > > > > > > > > It USED to be readable by all, now the persmissions have changed > > > (which in > > > > > my case screws up the webalizer processes run by users). > > > > > > > > > > Having a look at the changelog... > > > > > > > > > > apache (1.3.22-1) unstable; urgency=low > > > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > > > #112675). > > > > > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > > > appear to find it. Closest thing I could find was in > > > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > > > permissions of the logfiles. > > > > > > > > > > Any ideas? > > > > > > > > Run webalizer with permissions of group www-data and set appropriate > > > umask to > > > > user www-data (may be to loogrotate daemon too). > > > > > > > > -- > > > > With Best Regards, > > > > Denis A. Kulgeyko > > > > DK666-UANIC > > > > e-mail: [EMAIL PROTECTED] > > > > ICQ: 81607525 > > > > SMS: [EMAIL PROTECTED] > > > > -- > > > > UNIXes ... they are VERY friendly. > > > > But .. they chooses their friends VERY carefully ... :) > > > > ^]:wq! > > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Strange apache behaviour? (solved)
On Sun, Dec 09, 2001 at 08:05:17AM +1100, Jason Lim wrote: > Perhaps Johnie could make this an optional setting in > /etc/apache/cron.conf or something like that...? There is: .# Whether to chown logfiles to the user/group Apache runs as. APACHE_CHOWN_LOGFILES=0 ^^ This should be 0 *not* 1, which I think is Debian's default. This is used by /etc/cron.daily/apache. The server logs should root.adm or root.root with 640 permissions. Having the same that runs the server owner/group write permissions to the logs is asking for trouble. Nor should the world normally be able to look them. bob -- bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) [EMAIL PROTECTED] beekeeper -8|||} "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: building custom kernel package
On Tue, Oct 16, 2001 at 02:18:40PM +0200, Russell Coker wrote: Hi Russell, > I've written some scripts to help manage this. I've attached two scripts for > inclusion in /etc/mkinitrd/scripts directory (make sure you don't run the > devfs script in any other way), and the mkinitrd.conf file I use. With that > and the correct /etc/mkinitrd/modules file it should all work fine. I tried the copy-needed-modules script and it choked on my setup at the following module: blkmtd device=/dev/ide/host0/bus1/target0/lun0/disc/part2 erasesz=8 The following patch helps to get the blkmtd module included with the initrd image. --- /root/mkinitrd/scripts/copy-needed-modules Sat Dec 8 16:25:12 2001 +++ copy-needed-modules Sat Dec 8 16:38:23 2001 @@ -22,7 +22,9 @@ open(MODULES, "grep -v ^# /etc/mkinitrd/modules | grep .|") or die "Can't open modules"; while() { - chomp; + # chomp; + $_ =~ /^((\w|-)+)/; + $_ = $1; foreach my $n ($names{$_}, split('\t', $deps{$names{$_}}) ) { if(length($n) > 0) Regards. Bao -- Bao C. Havoice: (310) 922-0137 8D66 6672 7A9B 6879 85CD 42E0 9F6C 7908 ED95 6B38 Primary Perpetrator of "Slackware Linux Unleashed" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange apache behaviour?
Jason, Apaches log file ownership and permissions are set when they rotate in /etc/cron.daily/apache (about line 90 or so). As pointed out there are security issues to worry about so be careful. Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting Jason Lim wrote: > > Anyone figured out my apache problem (log file permissions)? > > I still haven't figured this one out yet. > > TIA, > > Jas > > - Original Message - > From: "Jason Lim" <[EMAIL PROTECTED]> > To: > Sent: Saturday, December 08, 2001 1:52 AM > Subject: Re: Strange apache behaviour? > > > Thats not very good security-wise to run webalizer as www-data, because > if > > a user ever finds a way to poison the log files, then webalizer will run > > them as www-data, and possibly be able to fool around with apache too > > (because they now run as the same user). > > > > A far better way (and much more direct) would be to have a way to change > > apache's log files BACK to the previous permissions. > > > > I think if no one knows the answer i'll have to ask netgod himself... (i > > think he is still the package maintainer?) > > > > Sincerely, > > Jason > > > > - Original Message - > > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > > To: "Jason Lim" <[EMAIL PROTECTED]> > > Sent: Friday, December 07, 2001 9:10 PM > > Subject: Re: Strange apache behaviour? > > > > > > > Hello ! > > > > > > > Do you know how to change the permissions of the log files apache > > > > generates? > > > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > > apache-access.log > > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > > apache-access.log.0 > > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > > apache-access.log.1.gz > > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > > apache-access.log.10.gz > > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > > apache-access.log.11.gz > > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > > apache-access.log.12.gz > > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > > apache-access.log.13.gz > > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > > apache-access.log.14.gz > > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > > apache-access.log.2.gz > > > > > > > > It USED to be readable by all, now the persmissions have changed > > (which in > > > > my case screws up the webalizer processes run by users). > > > > > > > > Having a look at the changelog... > > > > > > > > apache (1.3.22-1) unstable; urgency=low > > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > > #112675). > > > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > > appear to find it. Closest thing I could find was in > > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > > permissions of the logfiles. > > > > > > > > Any ideas? > > > > > > Run webalizer with permissions of group www-data and set appropriate > > umask to > > > user www-data (may be to loogrotate daemon too). > > > > > > -- > > > With Best Regards, > > > Denis A. Kulgeyko > > > DK666-UANIC > > > e-mail: [EMAIL PROTECTED] > > > ICQ: 81607525 > > > SMS: [EMAIL PROTECTED] > > > -- > > > UNIXes ... they are VERY friendly. > > > But .. they chooses their friends VERY carefully ... :) > > > ^]:wq! > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange apache behaviour? (solved)
Thanks... The lines to change are: do if [ -f $LOG ] then if [ "$APACHE_CHOWN_LOGFILES" = "1" ] then savelog -c $APACHE_OLD_LOGS -m 640 -u $USR -g $GRP \ $LOG > /dev/null else savelog -c $APACHE_OLD_LOGS -m 640 -u root -g adm \ $LOG > /dev/null fi fi done changing 640 to 644. This should work... will wait a few days to make sure there are no side-effects to this. Perhaps Johnie could make this an optional setting in /etc/apache/cron.conf or something like that...? Sincerely, Jas - Original Message - From: "Peter Billson" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, December 09, 2001 9:31 AM Subject: Re: Strange apache behaviour? > Jason, > Apaches log file ownership and permissions are set when they rotate in > /etc/cron.daily/apache (about line 90 or so). As pointed out there are > security issues to worry about so be careful. > > Pete > -- > http://www.elbnet.com > ELB Internet Services, Inc. > Web Design, Computer Consulting, Internet Hosting > > > Jason Lim wrote: > > > > Anyone figured out my apache problem (log file permissions)? > > > > I still haven't figured this one out yet. > > > > TIA, > > > > Jas > > > > - Original Message - > > From: "Jason Lim" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Saturday, December 08, 2001 1:52 AM > > Subject: Re: Strange apache behaviour? > > > > > Thats not very good security-wise to run webalizer as www-data, because > > if > > > a user ever finds a way to poison the log files, then webalizer will run > > > them as www-data, and possibly be able to fool around with apache too > > > (because they now run as the same user). > > > > > > A far better way (and much more direct) would be to have a way to change > > > apache's log files BACK to the previous permissions. > > > > > > I think if no one knows the answer i'll have to ask netgod himself... (i > > > think he is still the package maintainer?) > > > > > > Sincerely, > > > Jason > > > > > > - Original Message - > > > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > > > To: "Jason Lim" <[EMAIL PROTECTED]> > > > Sent: Friday, December 07, 2001 9:10 PM > > > Subject: Re: Strange apache behaviour? > > > > > > > > > > Hello ! > > > > > > > > > Do you know how to change the permissions of the log files apache > > > > > generates? > > > > > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > > > apache-access.log > > > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > > > apache-access.log.0 > > > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > > > apache-access.log.1.gz > > > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > > > apache-access.log.10.gz > > > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > > > apache-access.log.11.gz > > > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > > > apache-access.log.12.gz > > > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > > > apache-access.log.13.gz > > > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > > > apache-access.log.14.gz > > > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > > > apache-access.log.2.gz > > > > > > > > > > It USED to be readable by all, now the persmissions have changed > > > (which in > > > > > my case screws up the webalizer processes run by users). > > > > > > > > > > Having a look at the changelog... > > > > > > > > > > apache (1.3.22-1) unstable; urgency=low > > > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > > > #112675). > > > > > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > > > appear to find it. Closest thing I could find was in > > > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > > > permissions of the logfiles. > > > > > > > > > > Any ideas? > > > > > > > > Run webalizer with permissions of group www-data and set appropriate > > > umask to > > > > user www-data (may be to loogrotate daemon too). > > > > > > > > -- > > > > With Best Regards, > > > > Denis A. Kulgeyko > > > > DK666-UANIC > > > > e-mail: [EMAIL PROTECTED] > > > > ICQ: 81607525 > > > > SMS: [EMAIL PROTECTED] > > > > -- > > > > UNIXes ... they are VERY friendly. > > > > But .. they chooses their friends VERY carefully ... :) > > > > ^]:wq! > > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED
Re: Strange apache behaviour?
Anyone figured out my apache problem (log file permissions)? I still haven't figured this one out yet. TIA, Jas - Original Message - From: "Jason Lim" <[EMAIL PROTECTED]> To: Sent: Saturday, December 08, 2001 1:52 AM Subject: Re: Strange apache behaviour? > Thats not very good security-wise to run webalizer as www-data, because if > a user ever finds a way to poison the log files, then webalizer will run > them as www-data, and possibly be able to fool around with apache too > (because they now run as the same user). > > A far better way (and much more direct) would be to have a way to change > apache's log files BACK to the previous permissions. > > I think if no one knows the answer i'll have to ask netgod himself... (i > think he is still the package maintainer?) > > Sincerely, > Jason > > - Original Message - > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]> > Sent: Friday, December 07, 2001 9:10 PM > Subject: Re: Strange apache behaviour? > > > > Hello ! > > > > > Do you know how to change the permissions of the log files apache > > > generates? > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > apache-access.log > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > apache-access.log.0 > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > apache-access.log.1.gz > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > apache-access.log.10.gz > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > apache-access.log.11.gz > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > apache-access.log.12.gz > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > apache-access.log.13.gz > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > apache-access.log.14.gz > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > apache-access.log.2.gz > > > > > > It USED to be readable by all, now the persmissions have changed > (which in > > > my case screws up the webalizer processes run by users). > > > > > > Having a look at the changelog... > > > > > > apache (1.3.22-1) unstable; urgency=low > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > #112675). > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > appear to find it. Closest thing I could find was in > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > permissions of the logfiles. > > > > > > Any ideas? > > > > Run webalizer with permissions of group www-data and set appropriate > umask to > > user www-data (may be to loogrotate daemon too). > > > > -- > > With Best Regards, > > Denis A. Kulgeyko > > DK666-UANIC > > e-mail: [EMAIL PROTECTED] > > ICQ: 81607525 > > SMS: [EMAIL PROTECTED] > > -- > > UNIXes ... they are VERY friendly. > > But .. they chooses their friends VERY carefully ... :) > > ^]:wq! > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Strange apache behaviour?
Jason, Apaches log file ownership and permissions are set when they rotate in /etc/cron.daily/apache (about line 90 or so). As pointed out there are security issues to worry about so be careful. Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting Jason Lim wrote: > > Anyone figured out my apache problem (log file permissions)? > > I still haven't figured this one out yet. > > TIA, > > Jas > > - Original Message - > From: "Jason Lim" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, December 08, 2001 1:52 AM > Subject: Re: Strange apache behaviour? > > > Thats not very good security-wise to run webalizer as www-data, because > if > > a user ever finds a way to poison the log files, then webalizer will run > > them as www-data, and possibly be able to fool around with apache too > > (because they now run as the same user). > > > > A far better way (and much more direct) would be to have a way to change > > apache's log files BACK to the previous permissions. > > > > I think if no one knows the answer i'll have to ask netgod himself... (i > > think he is still the package maintainer?) > > > > Sincerely, > > Jason > > > > - Original Message - > > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > > To: "Jason Lim" <[EMAIL PROTECTED]> > > Sent: Friday, December 07, 2001 9:10 PM > > Subject: Re: Strange apache behaviour? > > > > > > > Hello ! > > > > > > > Do you know how to change the permissions of the log files apache > > > > generates? > > > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > > apache-access.log > > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > > apache-access.log.0 > > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > > apache-access.log.1.gz > > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > > apache-access.log.10.gz > > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > > apache-access.log.11.gz > > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > > apache-access.log.12.gz > > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > > apache-access.log.13.gz > > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > > apache-access.log.14.gz > > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > > apache-access.log.2.gz > > > > > > > > It USED to be readable by all, now the persmissions have changed > > (which in > > > > my case screws up the webalizer processes run by users). > > > > > > > > Having a look at the changelog... > > > > > > > > apache (1.3.22-1) unstable; urgency=low > > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > > #112675). > > > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > > appear to find it. Closest thing I could find was in > > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > > permissions of the logfiles. > > > > > > > > Any ideas? > > > > > > Run webalizer with permissions of group www-data and set appropriate > > umask to > > > user www-data (may be to loogrotate daemon too). > > > > > > -- > > > With Best Regards, > > > Denis A. Kulgeyko > > > DK666-UANIC > > > e-mail: [EMAIL PROTECTED] > > > ICQ: 81607525 > > > SMS: [EMAIL PROTECTED] > > > -- > > > UNIXes ... they are VERY friendly. > > > But .. they chooses their friends VERY carefully ... :) > > > ^]:wq! > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange apache behaviour?
Anyone figured out my apache problem (log file permissions)? I still haven't figured this one out yet. TIA, Jas - Original Message - From: "Jason Lim" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 08, 2001 1:52 AM Subject: Re: Strange apache behaviour? > Thats not very good security-wise to run webalizer as www-data, because if > a user ever finds a way to poison the log files, then webalizer will run > them as www-data, and possibly be able to fool around with apache too > (because they now run as the same user). > > A far better way (and much more direct) would be to have a way to change > apache's log files BACK to the previous permissions. > > I think if no one knows the answer i'll have to ask netgod himself... (i > think he is still the package maintainer?) > > Sincerely, > Jason > > - Original Message - > From: "Denis A. Kulgeyko" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]> > Sent: Friday, December 07, 2001 9:10 PM > Subject: Re: Strange apache behaviour? > > > > Hello ! > > > > > Do you know how to change the permissions of the log files apache > > > generates? > > > > > > -rw-r-1 www-data www-data 1372461 Dec 7 13:04 > apache-access.log > > > -rw-r-1 www-data www-data 740269 Dec 2 06:21 > > > apache-access.log.0 > > > -rw-r-1 www-data www-data44414 Nov 25 05:52 > > > apache-access.log.1.gz > > > -rw-rw-r--1 www-data www-data 167114 Sep 23 06:10 > > > apache-access.log.10.gz > > > -rw-rw-r--1 www-data www-data13069 Sep 16 06:06 > > > apache-access.log.11.gz > > > -rw-rw-r--1 www-data www-data14357 Sep 9 06:04 > > > apache-access.log.12.gz > > > -rw-rw-r--1 www-data www-data21209 Sep 2 06:24 > > > apache-access.log.13.gz > > > -rw-rw-r--1 www-data www-data 5979 Nov 19 2000 > > > apache-access.log.14.gz > > > -rw-rw-r--1 www-data www-data36771 Nov 18 06:23 > > > apache-access.log.2.gz > > > > > > It USED to be readable by all, now the persmissions have changed > (which in > > > my case screws up the webalizer processes run by users). > > > > > > Having a look at the changelog... > > > > > > apache (1.3.22-1) unstable; urgency=low > > > * Default ownership of logfiles is root/adm, perms 640 (closes: > > > #112675). > > > > > > Thats all nice a good... but how to I get it 644? I looked and can't > > > appear to find it. Closest thing I could find was in > > > /etc/apache/cron.conf, but that only sets the uid/gid, not the file > > > permissions of the logfiles. > > > > > > Any ideas? > > > > Run webalizer with permissions of group www-data and set appropriate > umask to > > user www-data (may be to loogrotate daemon too). > > > > -- > > With Best Regards, > > Denis A. Kulgeyko > > DK666-UANIC > > e-mail: [EMAIL PROTECTED] > > ICQ: 81607525 > > SMS: [EMAIL PROTECTED] > > -- > > UNIXes ... they are VERY friendly. > > But .. they chooses their friends VERY carefully ... :) > > ^]:wq! > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian GNU/Linux as email & DNS server
On Sat, Dec 08, 2001 at 11:09:22AM +0100, Marc Haber wrote: > On Fri, 07 Dec 2001 11:04:01 +1100 (EST), Donovan Baarda > <[EMAIL PROTECTED]> wrote: > >As a matter of interest, what is the story with all the imap and pop > >implementations? The debian woody "mailserver" task includes qpopper and uw- > >imapd. What's wrong with the much smaller ipopd, which is uw-imapd's pop > >counterpart? > > This is flame war material. I had no idea that it would be a touchy subject... my enquiry was purely innocent. I'm just in the process of setting up the mailserver part of a new woody box and was a little overwhelmed when I realised all the options. When in doubt, I usually pick the smallest download. This is mainly because I live on the end of a slow link, but also because I'm a KISS, anti-bloat kinda guy. qpopper is about six times the size of the other popd's, how much extra can a popd have? > Generally, I keep my hands off any UW software because the UW people > are not very security aware. > > >What are peoples experiences/comments? Are the ssl variants worth using? > > I like Courier because it is one very flexible package and it does all > variants that might be needed: pop/imap in both ssl and non-ssl. There > is even an MTA which I have never looked at, though. Thanks for the heads up. It looks like courier is the go. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key --
Re: Debian GNU/Linux as email & DNS server
On Sat, Dec 08, 2001 at 11:09:22AM +0100, Marc Haber wrote: > On Fri, 07 Dec 2001 11:04:01 +1100 (EST), Donovan Baarda > <[EMAIL PROTECTED]> wrote: > >As a matter of interest, what is the story with all the imap and pop > >implementations? The debian woody "mailserver" task includes qpopper and uw- > >imapd. What's wrong with the much smaller ipopd, which is uw-imapd's pop > >counterpart? > > This is flame war material. I had no idea that it would be a touchy subject... my enquiry was purely innocent. I'm just in the process of setting up the mailserver part of a new woody box and was a little overwhelmed when I realised all the options. When in doubt, I usually pick the smallest download. This is mainly because I live on the end of a slow link, but also because I'm a KISS, anti-bloat kinda guy. qpopper is about six times the size of the other popd's, how much extra can a popd have? > Generally, I keep my hands off any UW software because the UW people > are not very security aware. > > >What are peoples experiences/comments? Are the ssl variants worth using? > > I like Courier because it is one very flexible package and it does all > variants that might be needed: pop/imap in both ssl and non-ssl. There > is even an MTA which I have never looked at, though. Thanks for the heads up. It looks like courier is the go. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mailinglist software recommendations?
On Fri, 7 Dec 2001 15:47:32 +0100 (CET), Teun Vink <[EMAIL PROTECTED]> wrote: >Try Mailman, it can do all the things you asked. I am not particularly fond of Mailman, because there are a lot of functions that can only be controlled via the web interface. Mailman without the web interface is almost unuseable, and if you are on an e-mail-only site (which I frequently am), this can be a pain. I'd recommend looking at ecartis (formerly named listar). Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Re: Debian GNU/Linux as email & DNS server
On Fri, 07 Dec 2001 11:04:01 +1100 (EST), Donovan Baarda <[EMAIL PROTECTED]> wrote: >As a matter of interest, what is the story with all the imap and pop >implementations? The debian woody "mailserver" task includes qpopper and uw- >imapd. What's wrong with the much smaller ipopd, which is uw-imapd's pop >counterpart? This is flame war material. Generally, I keep my hands off any UW software because the UW people are not very security aware. >What are peoples experiences/comments? Are the ssl variants worth using? I like Courier because it is one very flexible package and it does all variants that might be needed: pop/imap in both ssl and non-ssl. There is even an MTA which I have never looked at, though. As opposed to Cyrus, Courier uses a standard mail spool (in maildir format) which can be accessed by third-party software for debugging purposes. The author of Courier has a quite difficult ego, but since Courier mainly works, you don't have to flame him too often. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Re: Mailinglist software recommendations?
On Fri, Dec 07, 2001 at 03:41:11PM +0100, Marcel Hicking wrote: > could anyone recommend a mailinglist software for > several small to medium sized mailinglists (say, > from very few to maybe a thousand or so subscribers)? Try Ecartis (formerly Listar - http://www.listar.org/). Packaged in Debian as listar still. Some features include: - modular - written in c - secure remote administration which uses cookies, so hard for someone to spoof the admin addr > b) Some admin web interface for the guys going > to use and feed the lists. Need to be able to add lists, Ecartis has this packaged in listar-cgi. > c) A web interface to (un)subscribe to lists (which I > could probably do myself ;-) I think you can do this with listar-cgi but if not then as you say it's not much effort to add this functionality. > Subscribers should not be able to post to the list in > general, but having this optional for each list would > be nice to have. Can do this with any decent list manager. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID.
Re: Mailinglist software recommendations?
On Fri, 7 Dec 2001 15:47:32 +0100 (CET), Teun Vink <[EMAIL PROTECTED]> wrote: >Try Mailman, it can do all the things you asked. I am not particularly fond of Mailman, because there are a lot of functions that can only be controlled via the web interface. Mailman without the web interface is almost unuseable, and if you are on an e-mail-only site (which I frequently am), this can be a pain. I'd recommend looking at ecartis (formerly named listar). Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian GNU/Linux as email & DNS server
On Fri, 07 Dec 2001 11:04:01 +1100 (EST), Donovan Baarda <[EMAIL PROTECTED]> wrote: >As a matter of interest, what is the story with all the imap and pop >implementations? The debian woody "mailserver" task includes qpopper and uw- >imapd. What's wrong with the much smaller ipopd, which is uw-imapd's pop >counterpart? This is flame war material. Generally, I keep my hands off any UW software because the UW people are not very security aware. >What are peoples experiences/comments? Are the ssl variants worth using? I like Courier because it is one very flexible package and it does all variants that might be needed: pop/imap in both ssl and non-ssl. There is even an MTA which I have never looked at, though. As opposed to Cyrus, Courier uses a standard mail spool (in maildir format) which can be accessed by third-party software for debugging purposes. The author of Courier has a quite difficult ego, but since Courier mainly works, you don't have to flame him too often. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mailinglist software recommendations?
On Fri, Dec 07, 2001 at 03:41:11PM +0100, Marcel Hicking wrote: > could anyone recommend a mailinglist software for > several small to medium sized mailinglists (say, > from very few to maybe a thousand or so subscribers)? Try Ecartis (formerly Listar - http://www.listar.org/). Packaged in Debian as listar still. Some features include: - modular - written in c - secure remote administration which uses cookies, so hard for someone to spoof the admin addr > b) Some admin web interface for the guys going > to use and feed the lists. Need to be able to add lists, Ecartis has this packaged in listar-cgi. > c) A web interface to (un)subscribe to lists (which I > could probably do myself ;-) I think you can do this with listar-cgi but if not then as you say it's not much effort to add this functionality. > Subscribers should not be able to post to the list in > general, but having this optional for each list would > be nice to have. Can do this with any decent list manager. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]