Bug#396452: [Pkg-awstats-devel] Bug#396452: Run cron script under root.

[Olleg Samoylov]

Charles Fry wrote:
>> Simple workaround of security problem is run cron script as root. Thus
>> apache statistics will be easily parsed and resulted files will be created
>> as www-data visiable and usable from cgi script.
> 
> Hi Olleg,
> 
> Can you please indicate which security problem you are referring to?

Excuse me.

from README.Debian:
> By default Apache stores (since version 1.3.22-1) logfiles with uid=root and
> gid=adm, so you need to either...
> 
>  1) Change the rights of the logfiles in /etc/logrotate.d/apache so that
>     www-data has at least read access.
> 
>  2) As 1) but change to a specific user, and use the suEXEC feature of Apache
>     to run as same user (and either change the right of /var/lib/awstats as
>     well or use another directory). This is more complicated, but then the logs
>     are not generally accessible to the server (which was probably the point of
>     the Apache default).
> 
>  3) Change awstats.pl to group adm (but beware that you are then taking the
>     risk of allowing a CGI-script access to admin stuff on the machine!).

This all require manual setup after install awstats.

Running cron script under root solve this problem too. Cron script will 
read apache log files with default root rights and write to awstats 
database with www-data rights, visible to cgi script. And this will not 
require manual setup after installation.

> In general, running scripts as root should be avoided as that is itself
> a security problem.

I don't see any security hole in running cron script (not cgi) under 
root, because only root can change cron script or it's parameters.

-- 
Olleg Samoylov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4124 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20061106/1045d9c3/smime.bin