This site is now 100% read-only, and retired.

Apache log files - per site log files

Posted by simonw on Wed 30 Nov 2005 at 16:44

I want to hand out Apache access log files to hosted customers on a shared server for measurement purposes, at least weekly. I also want them to have access to "error.log" in near real time.

Looking at Debian Sarge Apache2 log files are created "root adm rw-r-----" when Apache2 runs as "www-data www-data", I assume thus it writing to them from the one Apache2 task listed as "root"?

The security docs say I mustn't allow customers "write" to the directory the log files are in, so I suspect I must use some keen permissions (or symbolic links) so the directory appears as "~/.logs" but isn't writable.

Whilst I can see a relatively simple solution with a "chmod" on the logrotate scripts, and a mess of symbolic links, I get the feeling I'm solving a problem solved a million times before (well many thousands of times).

Server doesn't have so many sites that I'm "that" worried about file handles.

split-logfile is too simple, as it doesn't seem to handle "ServerAlias"

Is there an elegant solution before I create my less than elegant solution?

Can Apache be told to change its default log file permissions, or do I hack a umask into the startup script?

 

 


Re: Apache log files - per site log files
Posted by Steve (82.41.xx.xx) on Wed 30 Nov 2005 at 17:11
[ View Weblogs ]

Personally I'd just tweak the permissions in the log rotation script.

Steve

[ Parent ]

Re: Apache log files - per site log files
Posted by simonw (84.45.xx.xx) on Wed 30 Nov 2005 at 18:18
[ View Weblogs ]
Correct!

I found that after posting, the ownership and permissions are defined in /etc/logrotate.d/apache2

However I still don't see the elegant way of having the logs in the customers directory, because they are written as root, the symlink to an important file thing could happen. Perhaps I'll test it, and see how stupid Apache2 is.

I'm leaning to putting a ".htpasswd" in "/var/log/apache2/$ServerName", and letting them get the logs via authenticated HTTP, seems a lot safer all round, if a tad recursive in nature.

The basics of the problem remaining are;

1) we let users FTP to "/home/$username", chrooted, and they see their site as under "/"
2) we allow some users to put their own CGI scripts (bad karma).
3) we'd like to put the log files in the ftp space.
4) "/home/$username" is writable by $username.

So whereever we put the logs there is a potential of them creating a symlink via CGI, and blatting an important file with the Apache log.

The simple elegant solution is to have "logs" and "public_html" in home, and remove write permissions from "/home/$username" and "/home/$username/logs" (and chown root:adm logs; chmod 1755 logs for paranoias sake).

The other elegant solution is write to "~/.access.log" and "~/.error.log", chown, and set the sticky bit on ~, but some users do have Apache create content in there home directory (I know, more bad karma, but it happens) and like to be able to change that via ftp as well. If we could persuade them to pay us to save them from themselves....

But we'd have to reeducate people, and the trouble we had teaching them what the "directory" setting in Dreamweaver does.... Why is Dreamweaver so bad at FTP?

Of course I could have ignored the security problem, no one would probably ever notice, especially if I chown'ed and chmod ".logs" to make it look more secure, but I like to try and understand these things properly.

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (80.143.xx.xx) on Wed 30 Nov 2005 at 18:33
I've just set up the following skeleton directory on one of our new servers:

drwxr-s--- 4 root vhosts skel/
drwxr-s--- 4 root vhosts skel/www
drwxrws--- 2 root vhosts skel/www/htdocs
-rw-r--r-- 1 root vhosts skel/www/htdocs/_disabled.php
drwxr-s--- 2 root vhosts skel/www/logs
drwxrwsr-x 2 root vhosts skel/mailboxes

This directory allow me to "cp -a skel www.example.com" in /home/vhosts. As you can see the logs directory is owned be root and has the "s" (sticky?) bit set. That way all files created in that directory will keep the group vhosts.

Since only root has write access people are not able to delete the files in there, but read them.

So far it seems to work fine.

Balu
PS: The "_disabled.php" is some kind of placeholder file (added to Apaches DirectoryIndex option) and is used to display "created for customer ABC".

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (82.67.xx.xx) on Wed 30 Nov 2005 at 19:31
vlogger is your friend (debian package available)

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (193.195.xx.xx) on Thu 1 Dec 2005 at 09:24
Yes, definitely vlogger.

[ Parent ]

Re: Apache log files - per site log files
Posted by xrat (193.80.xx.xx) on Thu 1 Dec 2005 at 09:56
I am afraid I can only speak for Apache 1.3.x. There, for a limited number of virtual hosts, I simply use
<virtualhost>
...
ErrorLog /home/(userslogin)/(somedir)/(vhost)-error_log
CustomLog /home/(userslogin)/(somedir)/(vhost)-access_log combined
</virtualhost>
If you create the 2 files before reloading apache's configuration and if your (customized) logrotation takes care of permissions and ownership you should be fine.

I guess that this applies to Apache 2.x, too. Or am I missing something?

[ Parent ]

Re: Apache log files - per site log files
Posted by simonw (212.24.xx.xx) on Thu 1 Dec 2005 at 11:18
[ View Weblogs ]
Okay lets describe the problem in more detail.

Create a typical scenario, lets make it harder by setting sticky bits,
and ensure logs directory is owned by root.

# - root prompt
$ - not root

su -
#cd ~simon
#mkdir logs
#chmod 1755 logs
#touch logs/access.log
# ls -l logs/access.log
-rw-r--r-- 1 root root 0 Dec 1 10:34 logs/access.log

Repeat for error log.
Configure apache as appropriate.

But since "simon" has write permissions to "/home/simon"
he can rename files and directories in "/home/simon".

su - simon
$rm -rf logs
rm: cannot remove `logs/access.log': Permission denied
$mv logs logs.old

Okay we have got rid of all those irritating permissions.

Then as "simon" or as "www-data" e.g. a CGI script could be uploaded to "system("ln -s ...") if you allow arbitary CGI scripts.

$mkdir logs
$cd logs
$ ln -s /etc/demo error.log

#apache2ctl restart
#ls -l /etc/demo
-rw-r--r-- 1 root root 0 Dec 1 10:56 /etc/demo

We've just create a file, but could equally
have overwritten an important file.

This allows a user with a password, or if "logs" is insecure, a CGI
vulnerability to write, or truncate arbitary files owned by root.
I didn't check to see if it will overwrite files with "read" file
permissions but...

Obviously we could "deny service" or set some nasty problems...
ln -s /etc/passwd error.log
Or hosts.deny, or ftpusers, or even /boot/grub/menu.lst.

But typically the "bad guys" will know how to use this kind of weakness
to acquire root privileges, because that is what they do.

It isn't a big hole in the scheme of Linux security, it isn't typically a remote root exploit, unless "logs" is writable by "www-data", but I think you are missing something.

vlogger does seem to address my needs, although I need to check if it can be made to do precisely what we want.

[ Parent ]

Re: Apache log files - per site log files
Posted by xrat (128.130.xx.xx) on Thu 1 Dec 2005 at 12:10
Oops, you are asking about security. Sorry.
OK, my users' logs have permissions 0600 in a directory with 0700 permissions, all owned by the users. There are only a few, and, yes, I do trust local users. You are right, with my settings they can do a ln -s /etc/somefile access.log. I would not tolerate this possibility on a bigger host with untrusted users.

In my setting, I think I could overcome this issue by checking that log files exist and are regular files prior to starting apache (and when rotating).

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (80.62.xx.xx) on Tue 13 Dec 2005 at 16:36
[snot@dhcppc3 /home/snot]$ tail /usr/local/apache2/conf/httpd.conf
</virtualhost>

<virtualhost *:80>
ServerName stue106.woosah.org
ServerAlias *.stue106.woosah.org
DocumentRoot /home/stue106/public_html
CustomLog /home/stue106/logs/access.log combined
ErrorLog /home/stue106/logs/error.log
</virtualhost>


The above is what I use on a old rh box along with mod_user.
I'll stress that I'm the only one using this server. I'm not sure if there are any security risks if you have untrusted users accessing your box. However I'd love to know about any thoughts you have on the subject. Either leave a comment here or find me at irc.quakenet.org under the nick snot

best regards

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (86.16.xx.xx) on Tue 24 Jun 2008 at 22:23
what is the difference between apache log file and Modsecurity log file

[ Parent ]

Re: Apache log files - per site log files
Posted by Anonymous (119.154.xx.xx) on Mon 12 Mar 2012 at 08:19
I want to clean rough data from the apache access log file using java. would anyone will help me to solve this problem

[ Parent ]