3

On http://httpd.apache.org/docs/2.2/logs.html

Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that the server is started as, which is normally root. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see the security tips document for details

How does this work? How does writing to a file that Apache is also writing to grant access to the Apache Parent Process user (root)?

Gabe Martin-Dempesy
  • 410
  • 6
  • 11
  • `gain access to the uid that the server is started as` they gave you the answer already. – Tim Dec 20 '11 at 19:21

2 Answers2

2

Check out the security tips page.

http://httpd.apache.org/docs/2.2/misc/security_tips.html

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

Since apache opens and reads the log file as root, there is a danger here for abuse. Not sure why you would want a non-root (apache) user to have write access to the files. You can safely grant read access but would suggest that write access only be given to old files that have rotated. Apache is not opening these files when you use logrotate to manage log rotation.

jeffatrackaid
  • 4,142
  • 19
  • 22
  • 1
    Symlinking the log to another file was definitely the answer I was looking for, and I don't know how I missed that when scanning over the security tips. My initial motivation here is having awstats process and rotate the logs, but not trusting awstats run as root. The obvious alternative here is to trust logrotate to doing the rotation, and then run awstats as a non-root user. – Gabe Martin-Dempesy Dec 20 '11 at 20:44
  • `someone could replace the httpd binary` How can he do this without being root in the first place ? – ychaouche Jun 13 '16 at 13:02
0

If apache is running as root... and a non-root user writes a script for apache to execute... then by-virtue of how processes work... the script runs as root. As a security measure, most distributions do not run apache as root... but as a dedicated user like "www-data" or "apache" or "httpd".

TheCompWiz
  • 7,409
  • 17
  • 23
  • The question is about mechanism used in a specific attack. I don't think that he's asking about the privileges of a script executed by Apache. It sounds like granting write access to Apache's log directory can compromise the Apache's user, and the question was "How does this work?". I'd be curious to know too. Does Apache blindly execute scripts in the logs folder (I doubt it)? What does Apache do with material written to the log folder that could enable an attacker to compromise Apache's user? – Blackcoat Dec 20 '11 at 19:59
  • 1
    The child/worker processes normally run as 'www-data' or 'apache', but there is a parent httpd process that runs as root. Also, this is not about executing scripts, but rather writing to logs. – Gabe Martin-Dempesy Dec 20 '11 at 20:40