When writing to per vhost errorlog apache uses root permissions. To provide errorlog to end user administrator can point this for exampe <virtualhost ...> errorlog /home/user/your_apache_log now user does this rm /home/user/your_apache_log ln -s /bin/sh /home/user/your_apache_log and waits for apache to restart sometimes later now nobody can't login to server now since /bin/sh has been modified by apache process. This is security issue. 1) Apache should not write to any logs using root permissions but permissions specified in httpd.conf by User and Group 2) if there is SuexecUserGroup in vhost then per-dir errorlog should be writen to using these permissions
I disagree quite strongly here. Writing the logs as root prevents an attacker whith the ability to inject code into scripts from removing evidence from the log files. Writing the logs as the same user that processes requests is really a bad idea. An option to set the user/group for log files would be nice, though, therefore marking this as enhancement bug. I am not sure that this is easy to do in a portable way, though. Changing effective uid for opening the log files may make the parent process vulnerable to attacks with ptrace on some OSs. Note that you can already do this, at the expense of two additional processes per logfile: Create a logwrapper script: #!/bin/sh set -u exec su "$1" -c "exec cat >> $2" And then use this as a piped logger: CustomLog "| /usr/local/sbin/logwrapper loguser /home/loguser/logfile" combined