From: brian <brian@unknown>
Date: Fri, 10 Jan 1997 08:24:03 +0000 (+0000)
Subject: Reviewed by:	Chuck Murcko, Brian Behlendorf
X-Git-Tag: APACHE_1_2b5~9
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c09109559c1e775c8a46bc7b273906594abc45f1;p=apache

Reviewed by:	Chuck Murcko, Brian Behlendorf
Submitted by:	Marc Slemko

Added documentation about security concerns with logging in Apache 1.2.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@77404 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/invoking.html b/docs/manual/invoking.html
index 4a594d3577..927674aab4 100644
--- a/docs/manual/invoking.html
+++ b/docs/manual/invoking.html
@@ -80,6 +80,13 @@ is set by the <A HREF="mod/mod_mime.html#typesconfig">TypesConfig</A> directive,
 and is <code>conf/mime.types</code> by default.
 
 <h2>Log files</h2>
+<h3>security warning</h3>
+Anyone who can write to the directory where Apache is writing a
+log file can almost certainly gain access to the uid that the server is
+started as, which is normally root.  Do <EM>NOT</EM> give people write
+access to the directory the logs are stored in without being aware of
+the consequences; see the <A HREF="misc/security_tips.html">security tips</A>
+document for details.
 <h3>pid file</h3>
 On daemon startup, it saves the process id of the parent httpd process to
 the file <code>logs/httpd.pid</code>. This filename can be changed with the
diff --git a/docs/manual/invoking.html.en b/docs/manual/invoking.html.en
index 4a594d3577..927674aab4 100644
--- a/docs/manual/invoking.html.en
+++ b/docs/manual/invoking.html.en
@@ -80,6 +80,13 @@ is set by the <A HREF="mod/mod_mime.html#typesconfig">TypesConfig</A> directive,
 and is <code>conf/mime.types</code> by default.
 
 <h2>Log files</h2>
+<h3>security warning</h3>
+Anyone who can write to the directory where Apache is writing a
+log file can almost certainly gain access to the uid that the server is
+started as, which is normally root.  Do <EM>NOT</EM> give people write
+access to the directory the logs are stored in without being aware of
+the consequences; see the <A HREF="misc/security_tips.html">security tips</A>
+document for details.
 <h3>pid file</h3>
 On daemon startup, it saves the process id of the parent httpd process to
 the file <code>logs/httpd.pid</code>. This filename can be changed with the
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html
index f6060dc55a..86399e756f 100644
--- a/docs/manual/misc/security_tips.html
+++ b/docs/manual/misc/security_tips.html
@@ -15,6 +15,18 @@ the suggestions will be general, other, specific to Apache
 
 <HR>
 
+<H2>Permissions on Log File Directories</H2>
+<P>When Apache starts, it opens the log files as the user who started the
+server before switching to the user defined in the 
+<a href="../mod/core.html#user"><b>User</b></a> directive.  Anyone who
+has write permission for the directory where any log files are
+being written to can append pseudo-arbitrary data to any file on the
+system which is writable to the user who starts Apache.  Since the
+server is normally started by root, you should <EM>NOT</EM> give anyone
+write permission to the directory where logs are stored unless you
+want them to have root access. 
+<P>
+<HR>
 <H2>Server Side Includes</H2>
 <P>Server side includes (SSI) can be configured so that users can execute
 arbitrary programs on the server. That thought alone should send a shiver
@@ -54,15 +66,16 @@ or your ability to spot potential security holes in CGI, whether they were
 deliberate or accidental.<p>
 
 All the CGI scripts will run as the same user, so they have potential to
-conflict (accidentally or deliberately) with other scripts e.g. User A hates
-User B, so he writes a script to trash User B's CGI database.<P>
+conflict (accidentally or deliberately) with other scripts e.g.
+User A hates User B, so he writes a script to trash User B's CGI
+database.  One program which can be used to allow scripts to run
+as different users is <A HREF="../suexec.html">suEXEC</A> which is
+included with Apache as of 1.2 and is called from special hooks in
+the Apache server code.  Another popular way of doing this is with
+<A HREF="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</A>.  <P>
 
 <HR>
 
-Please send any other useful security tips to
-<A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
-<p>
-<HR>
 
 <H2>Stopping users overriding system wide settings...</H2>
 <P>To run a really tight ship, you'll want to stop users from setting
@@ -85,6 +98,12 @@ Then setup for specific directories<P>
 This stops all overrides, Includes and accesses in all directories apart
 from those named.<p>
 
+<HR>
+<P>Please send any other useful security tips to
+<A HREF="mailto:apache-bugs@mail.apache.org">apache-bugs@mail.apache.org</A>
+<p>
+<HR>
+
 <!--#include virtual="footer.html" -->
 </BODY>
 </HTML>
diff --git a/docs/manual/mod/core.html b/docs/manual/mod/core.html
index 3fad759f2f..a2b6bd2e73 100644
--- a/docs/manual/mod/core.html
+++ b/docs/manual/mod/core.html
@@ -391,7 +391,14 @@ any errors it encounters. If the filename does not begin with a slash (/)
 then it is assumed to be relative to the <A HREF="#serverroot">ServerRoot</A>.
 Example:
 <blockquote><code>ErrorLog /dev/null</code></blockquote>
-This effectively turns off error logging.<p><hr>
+This effectively turns off error logging.<p>
+
+SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A> 
+document for details on why your security could be compromised if
+the directory where logfiles are stored is writable by anyone other
+than the user that starts the server.
+
+<p><hr>
 
 <A name="files"><h2>&lt;Files&gt;</h2></A>
 <strong>Syntax:</strong> &lt;Files <em>filename</em>&gt;
@@ -1214,6 +1221,11 @@ then this can be accomplished with the <code>ifconfig alias</code>
 command (if your OS supports it), or with kernel patches like <A
 HREF="../misc/vif-info.html">VIF</A> (for SunOS(TM) 4.1.x)).<p>
 
+SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A> 
+document for details on why your security could be compromised if
+the directory where logfiles are stored is writable by anyone other
+than the user that starts the server.
+
 <p><strong>See also:</strong>
 <A HREF="../virtual-host.html">Information on Virtual Hosts.
 (multihome)</A><br>
diff --git a/docs/manual/mod/mod_log_agent.html b/docs/manual/mod/mod_log_agent.html
index 5eb790c804..69fc33f7df 100644
--- a/docs/manual/mod/mod_log_agent.html
+++ b/docs/manual/mod/mod_log_agent.html
@@ -40,6 +40,12 @@ the AgentLog from the main server.
 run under the user who started httpd. This will be root if the server
 was started by root; be sure that the program is secure.<p>
 
+<strong>Security:</strong> See the <A
+HREF="../misc/security_tips.html">security tips</A> document for
+details on why your security could be compromised if the directory
+where logfiles are stored is writable by anyone other than the user
+that starts the server.<P>
+
 This directive is provided for compatibility with NCSA 1.4.<p>
 
 <!--#include virtual="footer.html" -->
diff --git a/docs/manual/mod/mod_log_config.html b/docs/manual/mod/mod_log_config.html
index 98f37f6c35..de210647be 100644
--- a/docs/manual/mod/mod_log_config.html
+++ b/docs/manual/mod/mod_log_config.html
@@ -162,6 +162,13 @@ within its definition, not in any of the main server's log files.
 See the examples below.
 <p>
 
+<h2>Security Considerations</h2>
+
+See the <A HREF="../misc/security_tips.html">security tips</A> document
+for details on why your security could be compromised if the directory
+where logfiles are stored is writable by anyone other than the user
+that starts the server.
+<p>
 <h2>Directives</h2>
 
 <ul>
diff --git a/docs/manual/mod/mod_log_referer.html b/docs/manual/mod/mod_log_referer.html
index a7a96ffe18..66c53aedd3 100644
--- a/docs/manual/mod/mod_log_referer.html
+++ b/docs/manual/mod/mod_log_referer.html
@@ -67,6 +67,12 @@ the RefererLog from the main server.
 run under the user who started httpd. This will be root if the server
 was started by root; be sure that the program is secure.<p>
 
+<strong>Security:</strong> See the <A
+HREF="../misc/security_tips.html">security tips</A> document for
+details on why your security could be compromised if the directory
+where logfiles are stored is writable by anyone other than the user
+that starts the server.<P>
+
 This directive is provided for compatibility with NCSA 1.4.<p>
 
 <!--#include virtual="footer.html" -->
diff --git a/docs/manual/mod/mod_rewrite.html b/docs/manual/mod/mod_rewrite.html
index ff32d3e7d3..dbe943c959 100644
--- a/docs/manual/mod/mod_rewrite.html
+++ b/docs/manual/mod/mod_rewrite.html
@@ -151,6 +151,12 @@ To disable logging either remove or comment out the
 <tt>RewriteLog</tt> directive or use <tt>RewriteLogLevel 0</tt>!
 </td></tr>
 </table>
+<P>
+
+SECURITY: See the <A HREF="../misc/security_tips.html">security
+tips</A> document for details on why your security could be
+compromised if the directory where logfiles are stored is writable
+by anyone other than the user that starts the server. <P>
 
 <p>
 <b>Example:</b>