Processed: Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Processing commands for [EMAIL PROTECTED]: tag 286740 - security Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure) Tags were: security Tags removed: security thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: | it's funny, 'cause both of you have made good points. thing is, i've already chmodded my apache* log dirs 750 =;). this situation is different here though. only people allowed shell access are trusted people, therefore it doesn't matter much. the thing about security is to layer it. the more layers you have, the better. say an attacker breaks through one layer, there is yet another few or several layers they have get through to actually do any real harm. chmod 750 a log dir may or may not be a part of that. seems it's a touchy subject... but privacy concerns - for both individuals and organisations - are important too. how about: either having a short debconf question about chmod 750 /var/log/apache*, and asking yes or no; or, a mention in README.Debian about it. an admin that wants to do that anyway will do it, and for others it might give them something to think about. (yes this is a proposal *grin*). -- ,''`. http://www.debian.org/ GPG Print: 7C49 FD9C 1054 7300 3B7B : :' : Debian GNU/Linux 8BF4 6A88 7AE2 711D F097 ' `- signature.asc Description: Digital signature
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: | | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |[EMAIL PROTECTED] wrote: || On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: || | | | it's funny, 'cause both of you have made good points. thing is, i've | already chmodded my apache* log dirs 750 =;). | | this situation is different here though. only people allowed shell | access are trusted people, therefore it doesn't matter much. | | the thing about security is to layer it. the more layers you have, the | better. eheh see.. people here are mumbling about /var/log/apache - and talking about layers, why do they have access to /var/log in the first place? ;) | | say an attacker breaks through one layer, there is yet another few or | several layers they have get through to actually do any real harm. chmod | 750 a log dir may or may not be a part of that. seems it's a touchy | subject... but privacy concerns - for both individuals and organisations | - are important too. It is a very touchy argument, specially when people want more tight permissions while others want them more relax to be able to run their favourite apache log parser to generate stats. We had a neutral position for ages to avoid to move the balance towards one or another side and we are not going to change it. | | how about: either having a short debconf question about chmod 750 | /var/log/apache*, and asking yes or no; another debconf question would be overkilling. ~ or, a mention in README.Debian | about it. an admin that wants to do that anyway will do it, and for | others it might give them something to think about. | | (yes this is a proposal *grin*). | see that's another point.. an admin that install services should always check them. For how sane we can provide certain defaults, there will be always thing that will not work for someone in one way or another. Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByXjyhCzbekR3nhgRAqBtAJ0cGC4W2ECNKO8cMXqCagfFWwKF8QCfXfNW WBS+segxptigxDcXdhzEXNg= =z07S -END PGP SIGNATURE-
Re: Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit: | | it's funny, 'cause both of you have made good points. thing is, i've | already chmodded my apache* log dirs 750 =;). | | this situation is different here though. only people allowed shell | access are trusted people, therefore it doesn't matter much. | | the thing about security is to layer it. the more layers you have, the | better. eheh see.. people here are mumbling about /var/log/apache - and talking about layers, why do they have access to /var/log in the first place? ;) hehe. i know - on this box i do, and one other person does. but they're in sudoers ;). | | say an attacker breaks through one layer, there is yet another few or | several layers they have get through to actually do any real harm. chmod | 750 a log dir may or may not be a part of that. seems it's a touchy | subject... but privacy concerns - for both individuals and organisations | - are important too. It is a very touchy argument, specially when people want more tight permissions while others want them more relax to be able to run their favourite apache log parser to generate stats. yeh. i just set one up recently (log parser). i'm basically playing chown this to that, but chmod it to that other thing, so we balance security and access. so i have 750, but chmoded differently from the default. We had a neutral position for ages to avoid to move the balance towards one or another side and we are not going to change it. | | how about: either having a short debconf question about chmod 750 | /var/log/apache*, and asking yes or no; another debconf question would be overkilling. too true =). ~ or, a mention in README.Debian | about it. an admin that wants to do that anyway will do it, and for | others it might give them something to think about. | | (yes this is a proposal *grin*). | see that's another point.. an admin that install services should always check them. For how sane we can provide certain defaults, there will be always thing that will not work for someone in one way or another. *ahem* a reasonable admin ;). Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFByXjyhCzbekR3nhgRAqBtAJ0cGC4W2ECNKO8cMXqCagfFWwKF8QCfXfNW WBS+segxptigxDcXdhzEXNg= =z07S -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- We're not talking about the same thing, he said. For you the world is weird because if you're not bored with it you're at odds with it. For me the world is weird because it is stupendous, awesome, mysterious, unfathomable; my interest has been to convince you that you must accept responsibility for being here, in this marvelous world, in this marvelous desert, in this marvelous time. I wanted to convince you that you must learn to make every act count, since you are going to be here for only a short while, in fact, too short for witnessing all the marvels of it. -- Don Juan signature.asc Description: Digital signature