Processed: Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Processing commands for [EMAIL PROTECTED]: tag 286740 - security Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure) Tags were: security Tags removed: security thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#286740: marked as done (apache: log directory should have same permissions as logfiles (possible information disclosure))
Your message dated Wed, 22 Dec 2004 09:57:13 +0100 with message-id [EMAIL PROTECTED] and subject line Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure) has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 21 Dec 2004 22:07:06 + From [EMAIL PROTECTED] Tue Dec 21 14:07:06 2004 Return-path: [EMAIL PROTECTED] Received: from host81-134-51-163.in-addr.btopenworld.com (mail.haltyr.dejvice.czf) [81.134.51.163] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Cgs9p-0001zs-00; Tue, 21 Dec 2004 14:07:06 -0800 Received: by mail.haltyr.dejvice.czf (Postfix, from userid 1000) id 7439648EA; Tue, 21 Dec 2004 21:41:35 + (GMT) Date: Tue, 21 Dec 2004 21:41:35 + From: Jan Minar [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache: log directory should have same permissions as logfiles (possible information disclosure) Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=nFreZHaLTZJo0R7j Content-Disposition: inline User-Agent: Mutt/1.3.28i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. Thanks. Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2 (charmap=3DISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache w= ebse ii debconf 1.4.30.10Debian configuration managemen= t sy ii dpkg1.10.25 Package maintenance system for= Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie= s an ii libdb4.24.2.52-17Berkeley v4.2 Database Librari= es [ ii libexpat1 1.95.8-1 XML parsing C library - runtim= e li ii libmagic1 4.12-1 File type determination librar= y us ii logrotate 3.7-2Log rotation utility ii mime-support3.28-1 MIME files 'mime.types' 'mai= lcap ii perl5.8.4-3 Larry Wall's Practical Extract= ion=20 -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: [EMAIL PROTECTED] apache/server-name: localhost * apache/enable-suexec: false --=20 )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Min=E1=F8 irc: [EMAIL PROTECTED] --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFByJiO+uczK20Fa5cRApTVAJ9g/qNa4eq15MzbYAyz7eFZfcIj1QCfeMdu IFCwq8a7tfhwUkrmDGMuPzg= =igao -END PGP SIGNATURE- --nFreZHaLTZJo0R7j-- --- Received: (at 286740-done) by bugs.debian.org; 22 Dec 2004 08:57:37 + From [EMAIL PROTECTED] Wed Dec 22 00:57:37 2004 Return-path: [EMAIL PROTECTED] Received: from port49.ds1-van.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.141.114] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Ch2JN-0007Mi-00;
Bug#280206: apache: Apache wont start, FD_SETSIZE set too low
Hi, I had the same problem here, due to a ever growing number of vhosts. I had a look at lsof and I saw that logging directives inside each vhost caused the number of open files to explode. I've removed some of them and I should be ok again for a year (1200 - 800 open files), or till an upgrade to apache2. Anyone knows if apache2 has the same problem? -- Groetjes, Mathieu
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: tag 286740 - security thanks Jan Minar wrote: | Package: apache | Version: 1.3.33-2 | Severity: minor | Tags: security | | Hi. | | /var/log/apache is world-readable, so users can e.g. check whether | certain operation triggered an error. And given that the error strings | are pretty standardized, they can guess what string has been added to | the logfile, judging by the number of bytes that was appended to the | log. | | As this is not very obvious to the system administrator, and as there is | no use of /var/log/apache directory being readable and searchable while | the files in it are not, apart from the information disclosure described | above, I think it should be chmod-ed 750, just as the logs in it are | chmod 640. | There is no point in such operation. If a user have a local account it also has at least a few other thousands options to make a DoS on apache. Apples and pears. Information disclosure and DoS. And BTW, fix the DoSes too. IMVHO, You should at least read the bugreports before You are closing them... -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Min irc: [EMAIL PROTECTED] pgpMhbDf99EMX.pgp Description: PGP signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan Minar wrote: | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: | |tag 286740 - security |thanks | |Jan Minar wrote: || Package: apache || Version: 1.3.33-2 || Severity: minor || Tags: security || || Hi. || || /var/log/apache is world-readable, so users can e.g. check whether || certain operation triggered an error. And given that the error strings || are pretty standardized, they can guess what string has been added to || the logfile, judging by the number of bytes that was appended to the || log. || || As this is not very obvious to the system administrator, and as there is || no use of /var/log/apache directory being readable and searchable while || the files in it are not, apart from the information disclosure described || above, I think it should be chmod-ed 750, just as the logs in it are || chmod 640. || | |There is no point in such operation. If a user have a local account |it also has at least a few other thousands options to make a DoS on apache. | | | Apples and pears. Information disclosure and DoS. And BTW, fix the | DoSes too. Oh GREAT.. so let see... i should go around the world changing all the hardware on the planet because each user on a machine can use ab or any kind of tool that can telnet to port 80 generating millions of requests on the localhost server? Therefor slowing down the machine? You are welcome to provide me the money to do so, together with patches to each config file for each apache server out there so that there will be always available resources. | | IMVHO, You should at least read the bugreports before You are closing | them... | So let see.. provide me a PoC that i can use to gather information out of this theorerical bug that can lead to DoS or privilege escalations and i will fix this bug immediatly. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByVAkhCzbekR3nhgRAgbPAKCR8mO8qJ6QVeQckIbXrFnHWnW5TwCeNbqF m0InhwqL4T0+geIvD1jCqNw= =nHUG -END PGP SIGNATURE-
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: | | |There is no point in such operation. If a user have a local account | |it also has at least a few other thousands options to make a DoS on | apache. | | | | | | Apples and pears. Information disclosure and DoS. And BTW, fix the | | DoSes too. | | Oh GREAT.. so let see... i should go around the world changing all the | hardware | on the planet because each user on a machine can use ab or any kind of tool | that can telnet to port 80 generating millions of requests on the localhost | server? therefor slowing down the machine? | | No, No one ever asked you to do so. But please read your original statement - | are you _seriously_ suggesting that you won't fix a potential problem only | because there might be other problems as well? So, are your really saying that | apache can'T be used in a professional ISP environment (where customers share | servers and have local accounts)? Hmm, i should have a serious talk with our | providers then. This is a more than common problem on every kind of servers you run. There is nothing new about it. It can be apache, it can be whatever other service. On a network environment the situation can be slightly different since you are limited (somehow) to the available bw to provide a DoS. or to scan the network.. etc. The fact that you already have access to the box will give you many otherways to do whatever you want (or almost) on the machine. So if we really want to be paranoid, why that user have local access in the first place? If the user for example can write .htaccess file, it is enough for him to write wrong entries in there to make the server generates errors, without even the need of checking the log file. | BTW, your reply is rather murky on the technical side: the bug report doesn't | talk about a DOS, it mentions information leakage which is a differnt kind | of thread (and i hope you consider privacy important). The example the OP has done about monitor error logs doesn't provide you any vital information from the running server and even if you can barely guess what has been written to the log file, there almost no use of these info. Remember that you are not monitoring access.log that can contain real sensible data. | you are welcome to provide me | the money to do so, together with patches to each config file for each | apache server out there so that there will be always available resources. | | | The OP just asked for a change of permission on the directory - what's so time- | consuming about that? ~ When i learned system administration one of the key points | was to keep all configuration and logging data as private as possible. Can you | provide any reason for the logging directories _not_ having 750 permission? | It is pointless since you cannot read the files. | | | | | IMVHO, You should at least read the bugreports before You are closing | | them... | | | | So let see.. provide me a PoC that i can use to gather information out | of this theorerical bug that can lead to DoS or privilege escalations | and i will fix this bug immediatly. | | | Apache does write to logfiles in buffered blocks. By monitoring the file | io of the log file one can get a pretty good picture of the traffic amount | and access patterns for the corresponding server. Some of my customers _would_ | consider this bussiness-confidential data ... checking the file size doesn't provide enough information about the traffic or access patterns. Your server could get one request for TeraByte of data or 10 request for nothing and the log entries would change in size anyway according to the requested URL. Therefor there is no match between amount and size of the requests. | One can also monitor whether a certain scan/exploit etc. triggers logging to | the error log - this is pretty much like a login program that tells you that | a user doesn't exist :-) If a user has access to the machine, he/she doesn't need to look at apache logs to gather these information. | | BTW, why is it that a lot of bug reporters are greeted with irony/sarcasm | or neglectance here? A security bug as it claims to be is either serious or is not a security bug. I have never heard of minor security bug. Did you? Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByVqHhCzbekR3nhgRAsZoAKCKwSX0Os6BXBW6LgDuAaK7jJwseACeIU+e xHrCoEoNYQbukfCjaOqhakM= =rNEp -END PGP SIGNATURE-
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: | it's funny, 'cause both of you have made good points. thing is, i've already chmodded my apache* log dirs 750 =;). this situation is different here though. only people allowed shell access are trusted people, therefore it doesn't matter much. the thing about security is to layer it. the more layers you have, the better. say an attacker breaks through one layer, there is yet another few or several layers they have get through to actually do any real harm. chmod 750 a log dir may or may not be a part of that. seems it's a touchy subject... but privacy concerns - for both individuals and organisations - are important too. how about: either having a short debconf question about chmod 750 /var/log/apache*, and asking yes or no; or, a mention in README.Debian about it. an admin that wants to do that anyway will do it, and for others it might give them something to think about. (yes this is a proposal *grin*). -- ,''`. http://www.debian.org/ GPG Print: 7C49 FD9C 1054 7300 3B7B : :' : Debian GNU/Linux 8BF4 6A88 7AE2 711D F097 ' `- signature.asc Description: Digital signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: Jan Minar wrote: | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: | |tag 286740 - security |thanks | |Jan Minar wrote: || Package: apache || Version: 1.3.33-2 || Severity: minor || Tags: security || || Hi. || || /var/log/apache is world-readable, so users can e.g. check whether || certain operation triggered an error. And given that the error strings || are pretty standardized, they can guess what string has been added to || the logfile, judging by the number of bytes that was appended to the || log. || || As this is not very obvious to the system administrator, and as there is || no use of /var/log/apache directory being readable and searchable while || the files in it are not, apart from the information disclosure described || above, I think it should be chmod-ed 750, just as the logs in it are || chmod 640. || | |There is no point in such operation. If a user have a local account |it also has at least a few other thousands options to make a DoS on apache. | | | Apples and pears. Information disclosure and DoS. And BTW, fix the | DoSes too. Oh GREAT.. so let see... i should go around the world changing all the hardware on the planet because each user on a machine can use ab or any kind of tool that can telnet to port 80 generating millions of requests on the localhost server? Therefor slowing down the machine? You are welcome to provide me the money to do so, together with patches to each config file for each apache server out there so that there will be always available resources. I think the iptables or tcpwrapper packages maintainers can quote You really affordable prices. Nevertheless, it is not much of a relevance. | | IMVHO, You should at least read the bugreports before You are closing | them... | So let see.. provide me a PoC that i can use to gather information out of this theorerical bug that can lead to DoS or privilege escalations and i will fix this bug immediatly. I never talked about DoS or privilege escalation. It's an: *** unauthorized information disclosure *** Please stop whining and fix the bug. -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Min irc: [EMAIL PROTECTED] pgpQpcscSxUCt.pgp Description: PGP signature
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: | | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |[EMAIL PROTECTED] wrote: || On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: || | | | it's funny, 'cause both of you have made good points. thing is, i've | already chmodded my apache* log dirs 750 =;). | | this situation is different here though. only people allowed shell | access are trusted people, therefore it doesn't matter much. | | the thing about security is to layer it. the more layers you have, the | better. eheh see.. people here are mumbling about /var/log/apache - and talking about layers, why do they have access to /var/log in the first place? ;) | | say an attacker breaks through one layer, there is yet another few or | several layers they have get through to actually do any real harm. chmod | 750 a log dir may or may not be a part of that. seems it's a touchy | subject... but privacy concerns - for both individuals and organisations | - are important too. It is a very touchy argument, specially when people want more tight permissions while others want them more relax to be able to run their favourite apache log parser to generate stats. We had a neutral position for ages to avoid to move the balance towards one or another side and we are not going to change it. | | how about: either having a short debconf question about chmod 750 | /var/log/apache*, and asking yes or no; another debconf question would be overkilling. ~ or, a mention in README.Debian | about it. an admin that wants to do that anyway will do it, and for | others it might give them something to think about. | | (yes this is a proposal *grin*). | see that's another point.. an admin that install services should always check them. For how sane we can provide certain defaults, there will be always thing that will not work for someone in one way or another. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByXjyhCzbekR3nhgRAqBtAJ0cGC4W2ECNKO8cMXqCagfFWwKF8QCfXfNW WBS+segxptigxDcXdhzEXNg= =z07S -END PGP SIGNATURE-
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: | | it's funny, 'cause both of you have made good points. thing is, i've | already chmodded my apache* log dirs 750 =;). | | this situation is different here though. only people allowed shell | access are trusted people, therefore it doesn't matter much. | | the thing about security is to layer it. the more layers you have, the | better. eheh see.. people here are mumbling about /var/log/apache - and talking about layers, why do they have access to /var/log in the first place? ;) hehe. i know - on this box i do, and one other person does. but they're in sudoers ;). | | say an attacker breaks through one layer, there is yet another few or | several layers they have get through to actually do any real harm. chmod | 750 a log dir may or may not be a part of that. seems it's a touchy | subject... but privacy concerns - for both individuals and organisations | - are important too. It is a very touchy argument, specially when people want more tight permissions while others want them more relax to be able to run their favourite apache log parser to generate stats. yeh. i just set one up recently (log parser). i'm basically playing chown this to that, but chmod it to that other thing, so we balance security and access. so i have 750, but chmoded differently from the default. We had a neutral position for ages to avoid to move the balance towards one or another side and we are not going to change it. | | how about: either having a short debconf question about chmod 750 | /var/log/apache*, and asking yes or no; another debconf question would be overkilling. too true =). ~ or, a mention in README.Debian | about it. an admin that wants to do that anyway will do it, and for | others it might give them something to think about. | | (yes this is a proposal *grin*). | see that's another point.. an admin that install services should always check them. For how sane we can provide certain defaults, there will be always thing that will not work for someone in one way or another. *ahem* a reasonable admin ;). Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByXjyhCzbekR3nhgRAqBtAJ0cGC4W2ECNKO8cMXqCagfFWwKF8QCfXfNW WBS+segxptigxDcXdhzEXNg= =z07S -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- We're not talking about the same thing, he said. For you the world is weird because if you're not bored with it you're at odds with it. For me the world is weird because it is stupendous, awesome, mysterious, unfathomable; my interest has been to convince you that you must accept responsibility for being here, in this marvelous world, in this marvelous desert, in this marvelous time. I wanted to convince you that you must learn to make every act count, since you are going to be here for only a short while, in fact, too short for witnessing all the marvels of it. -- Don Juan signature.asc Description: Digital signature
Bug#286879: apache2 not starting
Package: apache2-mpm-prefork Version: 2.0.52-3 Hi. If you're doing a 'apt-get update' 'apt-get upgrade' you 'll be able to get the following error while installing/upgrading: The upgrade-process will hang until you're terminating it manually - at package apache2-mpm-prefork. Even while manually starting the server you won't be able to get it working or stuff. Greetings, Sandra
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Tue, Dec 21, 2004 at 09:41:35PM +, Jan Minar wrote: Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. I don't see a scenario where this could result in a meaningful security issue. The user can just as easily find out that an error was caused by noticing the 5xx error returned by the server in response to the request. -- - mdz
Bug#286941: support OpenSSL ENGINE
Package: apache2 Version: 2.0.52-3 Severity: minor I want to use apache with external crypto devices.(SSL accelerator card) To enable openssl engine stuff, please add --enable-rule=SSL_EXPERIMENTAL to AP2_COMMON_CONFARGS Tetsuhiro Nakane