> Apache 2.0 currently execs cgi scripts / server side includes etc... with > file descriptors open to all access and error logs on the server and also > to a couple of internal pipes. > > This means any cgi script can muck around with all access and error logs, > read them, truncate them, overwrite them or append funny stuff. > > There is a bug in apache 2.0 that prevents closing of these internal resources > before running the cgi's. > > Thats all. And thats enough ... I'd argue that the error log *should* be available to exec'd CGIs etc. That way the STDERR of a CGI is available to the programmer for debugging purposes. Beats the hell out of printing debugging information to the webbrowser. This has been the case for all the Apache versions I'm familar with. Now error log should be opened in append only mode, such that these logs can only grow the error log, not overwrite or truncate. I do not know if this is the case. If there is more than one error log for that apache process, I'd argue that apache should close all of them except the one associated with that program (probably because of the VirtualHost it's associated with, for example.) I don't see any reason for the access log to be writeable, however, so I agree they should all be closed. If the error log (the only one that is appropriate for the exec'd program in question) is opened in append only mode, this seems to be appropriate. I think an apache directive to allow all logs to be closed would be a good one, or perhaps a flag to define close on exec when you define your log files. -- Brian Hatch So many pedestrians, Systems and so little time. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 15:46:34 PST