Bug 55068 - root permissions when writing to per vhosts errorlog (security)
Summary: root permissions when writing to per vhosts errorlog (security)
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.4
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-06-06 19:03 UTC by jan
Modified: 2013-06-09 08:43 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description jan 2013-06-06 19:03:54 UTC
When writing to per vhost errorlog apache uses root permissions. To provide errorlog to end user administrator can point this for exampe
<virtualhost ...>
errorlog /home/user/your_apache_log

now user does this
rm /home/user/your_apache_log
ln -s /bin/sh /home/user/your_apache_log
and waits for apache to restart sometimes later

now nobody can't login to server now since /bin/sh has been modified by apache process. This is security issue.

1) Apache should not write to any logs using root permissions but permissions specified in httpd.conf by User and Group
2) if there is SuexecUserGroup in vhost then per-dir errorlog should be writen to using these permissions
Comment 1 Stefan Fritsch 2013-06-09 08:43:42 UTC
I disagree quite strongly here. Writing the logs as root prevents an attacker whith the ability to inject code into scripts from removing evidence from the log files. Writing the logs as the same user that processes requests is really a bad idea.

An option to set the user/group for log files would be nice, though, therefore marking this as enhancement bug. I am not sure that this is easy to do in a portable way, though. Changing effective uid for opening the log files may make the parent process vulnerable to attacks with ptrace on some OSs.

Note that you can already do this, at the expense of two additional processes per logfile:

Create a logwrapper script:

set -u
exec su "$1" -c "exec cat >> $2"

And then use this as a piped logger:

CustomLog "| /usr/local/sbin/logwrapper loguser /home/loguser/logfile" combined