Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398899 - www-servers/apache: /var/log/apache2 shouldn't be world readable
Summary: www-servers/apache: /var/log/apache2 shouldn't be world readable
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Apache Team - Bugzilla Reports
URL:
Whiteboard:
Keywords: NeedPatch
Depends on:
Blocks:
 
Reported: 2012-01-14 17:20 UTC by Amadeusz Żołnowski (RETIRED)
Modified: 2021-04-28 19:18 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
apache-2.eclass.patch (apache-2.eclass.patch,838 bytes, patch)
2012-03-29 15:13 UTC, Gerrit Helm
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Żołnowski (RETIRED) gentoo-dev 2012-01-14 17:20:18 UTC
Directory and files in it are world readable. They should be rw only for apache user and ro only for apache group.

Reproducible: Always
Comment 1 Patrick Lauer gentoo-dev 2012-03-29 13:24:19 UTC
diff -u -b -B -r1.27 apache-2.eclass
--- ../eclass/apache-2.eclass   5 Mar 2012 08:20:52 -0000       1.27
+++ ../eclass/apache-2.eclass   29 Mar 2012 13:12:33 -0000
@@ -539,7 +539,7 @@
        for i in /var/lib/dav /var/log/apache2 /var/cache/apache2 ; do
                keepdir ${i}
                fowners apache:apache ${i}
-               fperms 0755 ${i}
+               fperms 0750 ${i}
        done
 }

Does that adequately fix it?
Comment 2 Gerrit Helm 2012-03-29 14:23:44 UTC
Yes.. new directories (e.G. /var/log/apache2) get perm 750, existing directories permissions stay the same as before.

Is this a 'desired behaviour' of portage fperms helper-script?
Comment 3 Gerrit Helm 2012-03-29 15:13:13 UTC
Created attachment 307099 [details, diff]
apache-2.eclass.patch
Comment 4 Gerrit Helm 2012-03-29 15:15:06 UTC
ah.. fperms is called in src_install and prepends ${D} by default.
Added a small pkg_postinst routine in my patch to fix existing dirs.

@Patrick
Do you think this will break a thing or two somewhere or can we apply it to portage?

Kind Regards
Comment 5 Patrick Lauer gentoo-dev 2012-03-29 15:30:24 UTC
+  29 Mar 2012; Patrick Lauer <patrick@gentoo.org> apache-2.eclass:
+  Sanitizing directory permissions #398899
Comment 6 Hanno Böck gentoo-dev 2012-10-17 08:50:24 UTC
Sorry, but this is not a solution at all, it breaks existing installations.

I have various user-dirs in /var/log/apache2 and thus the x-flag for all on it. This now breaks everytime apache get's re-merged and with its current implementation there's no way for me to prevent this except maintaining my own local apache ebuild and eclass.
It's okay to set the default to 0750, but when the user sets something otherwise, it shouldn't be enforced by a re-installation.
Comment 7 Christian Ruppert (idl0r) gentoo-dev 2012-10-17 17:39:34 UTC
It sounds like chmod was used, try fowners and in src_install and the user permissions should be kept actually. That's what I do in BIND.
Comment 8 Hanno Böck gentoo-dev 2013-03-08 10:23:49 UTC
As nobody seems to care, I'll undo this now. It breaks for me every time I update my apache servers.

If anyone thinks its still necessary to fix old installations, I'd propose echoing a warning. But messing with user-set permissions is no option.
Comment 9 Lars Wendler (Polynomial-C) gentoo-dev 2015-11-04 13:55:43 UTC
If anyone has an idea how to solve this while making everyone happy, please speak up.
Comment 10 Amadeusz Żołnowski (RETIRED) gentoo-dev 2017-05-28 14:22:50 UTC
> I'd propose echoing a warning. But messing with user-set permissions is no option.

That's sounds like a reasonable approach. Just check whether directory is world accessible and issue warning in this case.
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-02-07 17:58:56 UTC
(no clue why proxy-maint is in CC, removing)