Bug 55068

Summary: root permissions when writing to per vhosts errorlog (security)
Product: Apache httpd-2 Reporter: jan <naox>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.4.4   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description jan 2013-06-06 19:03:54 UTC 
When writing to per vhost errorlog apache uses root permissions. To provide errorlog to end user administrator can point this for exampe
<virtualhost ...>
errorlog /home/user/your_apache_log

now user does this
rm /home/user/your_apache_log
ln -s /bin/sh /home/user/your_apache_log
and waits for apache to restart sometimes later

now nobody can't login to server now since /bin/sh has been modified by apache process. This is security issue.

1) Apache should not write to any logs using root permissions but permissions specified in httpd.conf by User and Group
2) if there is SuexecUserGroup in vhost then per-dir errorlog should be writen to using these permissions
Comment 1 Stefan Fritsch 2013-06-09 08:43:42 UTC 
I disagree quite strongly here. Writing the logs as root prevents an attacker whith the ability to inject code into scripts from removing evidence from the log files. Writing the logs as the same user that processes requests is really a bad idea.

An option to set the user/group for log files would be nice, though, therefore marking this as enhancement bug. I am not sure that this is easy to do in a portable way, though. Changing effective uid for opening the log files may make the parent process vulnerable to attacks with ptrace on some OSs.


Note that you can already do this, at the expense of two additional processes per logfile:

Create a logwrapper script:

#!/bin/sh
set -u
exec su "$1" -c "exec cat >> $2"


And then use this as a piped logger:

CustomLog "| /usr/local/sbin/logwrapper loguser /home/loguser/logfile" combined