Ondrej Suchy wrote: > > Hi all. > Sorry if this was already mentioned, but ... > > Apache SSL server has similar symlink problem as updatedb (and thousands > > of others programs). > I don't know about the other versions, but at least ssl 1.13 patch for > apache 1.2.5 contains following line in default configuration: > SSLLogFile /tmp/ssl.log > which makes httpsd log it's activity to that file. Any file can be > linked to /tmp/ssl.log and httpsd will happily append something like > "CIPHER is blah-blah" to it. > I could not make it to root access, but I can't say it's impossible. > (Maybe through .rhosts?) > > Note that this problem is not affected by setting the User and Group > directives in the configuration to nobody or other unprivileged user, > since httpd often starts as root, writes to log files and THEN changes > its uid. > > (There is probably the same problem with /tmp/ssldebug log file, I > didn't test it.) The /tmp/ssldebug file is not created if you use an up-to-date version of SSLeay (i.e. v 0.8.x). However, as a precaution, I will comment it out for future versions. /tmp/ssl.log may be a risk - I will document it as such for future versions, but I'd note that the example config (which is _not_ a default config) will not generally work on any system except mine, so this directive would only be included in a real config if included by the sysadmin. Thanks for the report. It would've been courteous to let me do something about it before posting to a public forum, though. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: benat_private | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:01 PDT