398899 – www-servers/apache: /var/log/apache2 shouldn't be world readable

Bug 398899 - www-servers/apache: /var/log/apache2 shouldn't be world readable

Summary: www-servers/apache: /var/log/apache2 shouldn't be world readable

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:	NeedPatch

Depends on:
Blocks:

Reported:	2012-01-14 17:20 UTC by Amadeusz Żołnowski (RETIRED)
Modified:	2021-04-28 19:18 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
apache-2.eclass.patch (apache-2.eclass.patch,838 bytes, patch) 2012-03-29 15:13 UTC, Gerrit Helm	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Żołnowski (RETIRED) gentoo-dev

2012-01-14 17:20:18 UTC

Directory and files in it are world readable. They should be rw only for apache user and ro only for apache group.

Reproducible: Always

Comment 1 Patrick Lauer gentoo-dev

2012-03-29 13:24:19 UTC

diff -u -b -B -r1.27 apache-2.eclass
--- ../eclass/apache-2.eclass   5 Mar 2012 08:20:52 -0000       1.27
+++ ../eclass/apache-2.eclass   29 Mar 2012 13:12:33 -0000
@@ -539,7 +539,7 @@
        for i in /var/lib/dav /var/log/apache2 /var/cache/apache2 ; do
                keepdir ${i}
                fowners apache:apache ${i}
-               fperms 0755 ${i}
+               fperms 0750 ${i}
        done
 }

Does that adequately fix it?

Comment 2 Gerrit Helm 2012-03-29 14:23:44 UTC

Yes.. new directories (e.G. /var/log/apache2) get perm 750, existing directories permissions stay the same as before.

Is this a 'desired behaviour' of portage fperms helper-script?

Comment 3 Gerrit Helm 2012-03-29 15:13:13 UTC

Created attachment 307099 [details, diff]
apache-2.eclass.patch

Comment 4 Gerrit Helm 2012-03-29 15:15:06 UTC

ah.. fperms is called in src_install and prepends ${D} by default.
Added a small pkg_postinst routine in my patch to fix existing dirs.

@Patrick
Do you think this will break a thing or two somewhere or can we apply it to portage?

Kind Regards

Comment 5 Patrick Lauer gentoo-dev

2012-03-29 15:30:24 UTC

+  29 Mar 2012; Patrick Lauer <patrick@gentoo.org> apache-2.eclass:
+  Sanitizing directory permissions #398899

Comment 6 Hanno Böck gentoo-dev

2012-10-17 08:50:24 UTC

Sorry, but this is not a solution at all, it breaks existing installations.

I have various user-dirs in /var/log/apache2 and thus the x-flag for all on it. This now breaks everytime apache get's re-merged and with its current implementation there's no way for me to prevent this except maintaining my own local apache ebuild and eclass.
It's okay to set the default to 0750, but when the user sets something otherwise, it shouldn't be enforced by a re-installation.

Comment 7 Christian Ruppert (idl0r) gentoo-dev

2012-10-17 17:39:34 UTC

It sounds like chmod was used, try fowners and in src_install and the user permissions should be kept actually. That's what I do in BIND.

Comment 8 Hanno Böck gentoo-dev

2013-03-08 10:23:49 UTC

As nobody seems to care, I'll undo this now. It breaks for me every time I update my apache servers.

If anyone thinks its still necessary to fix old installations, I'd propose echoing a warning. But messing with user-set permissions is no option.

Comment 9 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2015-11-04 13:55:43 UTC

If anyone has an idea how to solve this while making everyone happy, please speak up.

Comment 10 Amadeusz Żołnowski (RETIRED) gentoo-dev

2017-05-28 14:22:50 UTC

> I'd propose echoing a warning. But messing with user-set permissions is no option.

That's sounds like a reasonable approach. Just check whether directory is world accessible and issue warning in this case.

Comment 11 Michał Górny archtester

2018-02-07 17:58:56 UTC

(no clue why proxy-maint is in CC, removing)