2

We have Apache set to run as www user on a RedHat box, but it's logs are written w/root ownership as the process itself run as root. It seems the best course of running would be to 1) run rotatelogs as a non root user, and 2) to put the logs in a place set aside for the user w/proper permissions.

Can this be done? I don't see a method here:

https://httpd.apache.org/docs/2.2/programs/rotatelogs.html

jouell
  • 621
  • 1
  • 5
  • 20
  • 2
    This seems like a reasonable question, why the down vote out of the gate? – jouell Dec 05 '15 at 02:17
  • 1
    Because people like to exercise their hard earned right to downvote at 125 rep. Quite petty, tbh. Personally, I think everyone should be able to see who is casting votes. – Bill Nov 09 '17 at 15:26
  • 1
    Our field is prone to people thinking that because they do not have a problem nobody else should or, worse, that if they cannot think of a way to break something nobody else can either. Working in .gov, I often find cases where it's easier to harden something like this than deal with policy or audit questions about it later. – Chris Adams Nov 09 '17 at 19:33

2 Answers2

2

There is no need to do anything in respect of file ownership. Red Hat ships their systems with sensible defaults. Millions of web servers run every day with their httpd logs owned by root. Best practice is to leave well alone in this instance.

By default the httpd logs on a RH system are rotated using logrotate. This is run daily as the root user so there is no issue with the ownership. You can adjust the way the logs are rotated by editing the logrotate configuration (/etc/logrotate.conf, /etc/logrotate.d/httpd).

If you are using piped logs as your link suggests, then you will need to configure your own cron job to run as root.

This is all normal stuff.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • 2
    Thanks, but does not address the question, "Can this be done?". I do not see having a process run as root as a best practice, when it could be a non-root user. Whether or not others do. The owner of the file just need to be the non-root user. I suspect if one runs apache on a high port/non root then the master process is non root and the rotatelogs is as well. My question is if you run Apache as non-root (and knowing the master process is going to run as root, can the rotatelogs process run as non root.) – jouell Dec 05 '15 at 16:18
  • Actually, my question is if you run Apache on port 80 as non-root (knowing the master process is going to run as root to bind and then drop privs/spawn worker processes), can the rotatelogs process run as non root? rotatelogs stays in the process list, it's not transiently run via cron. I just think there should be a method for that process to then drop privs as well. An alternative would be for the root master process to spawn another non root process that simply pipes data to rotatelogs. – jouell Dec 05 '15 at 16:48
  • Found a conversation: http://serverfault.com/questions/379285/logrotate-security. At this point I believe the answer is no you can't do it because the rotate logs program has not been programmed to call setuid to a non root user. I will have to look into the source to confirm/deny 100%. – jouell Dec 06 '15 at 05:07
  • Also using capabilities to allow not root process to bind to 443/80 would then have all non processes, including logrotate. – jouell Dec 06 '15 at 05:12
  • So there you go, like I said, everyone is already using 'best' ;) – user9517 Dec 06 '15 at 06:32
  • 1
    Thanks again for the comments. I will respectfully slightly disagree: Running root when you could take steps not to is not best. It does depend on the risk/reward/effort though for sure. – jouell Dec 06 '15 at 20:50
  • 1
    Perhaps you should address that to the engineers at Red Hat /Apache (and other distros) I'm sure they'd love to know they've been doing it wrong all this time. You could even download the Apache source and hack it into shape... – user9517 Dec 06 '15 at 21:10
  • 1
    Agreed. someone's gotta do it. – jouell Dec 06 '15 at 23:48
  • @Thetimehascome if you actually talked with any of the engineers who work on Apache, they'd be the first to remind you of the multiple decades which have gone into improving it rather than dogmatically asserting “the way this works now cannot be improved”. Our field has seen a huge amount of engineering time going into incremental security improvements because defense in depth is the best way to avoid catastrophes. – Chris Adams Nov 09 '17 at 15:10
1

The exact way to invoke it will depend on local configuration (e.g. apache is disabled by default on RHEL 6) but you can use sudo, runuser, etc. like this:

ErrorLog "|sudo -u apache rotatelogs -f /var/log/httpd/errors.%Y-%m-%d.log 86400"

Chris Adams
  • 339
  • 2
  • 7