[Pkg-awstats-devel] RFC - cron-related stuff

Jonas Smedegaard dr at jones.dk
Sat Apr 11 21:21:30 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Apr 11, 2009 at 10:56:56PM +0400, Sergey B Kirpichev wrote:
>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> >1. system user awstats (cron jobs owner) in group adm
>> 
>> Bad, when used as a CGI script: Gives writes access from anonymous 
>> web users to all adm-writable files!
>
>Wrong, just readonly access for www-data, see below (steps 2 and 3 of 
>the original RFC).

Yes, you are right: Only when executed as awstats user does it have 
access to adm group, and CGI is not (and should not!) ever run as that 
user, only the cron script.


>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> AWStats analyze data that is by default readable only by admins, so 
>> our output should by default also be accessible only by admins, but 
>> optionally readable by others too.
>
>You want to access web statistics from web, isn't?

No, that is _exactly_ what I am not so sure should be the default!


>Then, it must be accessible readonly for www-data (Either generated 
>html-files or awstats data files, doesn't matter).  See below for 
>suexec-like setup.

No, I disagree: Even if(!) the output of AWStats is to be delivered 
through a web server, it should not necessarily be served to the whole 
world.  Only if it is to be served to the whole world should it be 
readable by www-data.


>We can protect CGI-script or static html-files, by some kind of HTTP 
>access control (e.g., only accessible from 127.0.0.1 by default) in 
>/usr/share/doc/awstats/examples/apache.conf.

I did susgest myself to limit access to only localhost, but thinking 
more about it I am wrong there too: Such limiting is for cases where 
content should be readable for all local users but not (by default to 
outsiders - like webservers limit access to /usr/share/doc.

The output from AWStats might be unwanted to share even with all local 
users.  It should IMO by default be accessible only by adm group (or 
some new group empty by default).  If we create a new empty group we can 
optionally offer to grant www-data access - that is not an option if we 
reuse the adm group (but we can the offer to optionally _change_ the 
group use for output).  Whatever we do, I believe the default should be 
to not expose adm content to a wider audience.



>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> Those "others" might be the whole world, or it might be another 
>> limited group than admins. So it seems to me that it is better to 
>> create an awstats:awstats account (i.e. both username and groupname 
>> awstats), allowing the local admin the flexibility of either adding 
>> awstats to other groups or add other users to awstats group (without 
>> then granting them access to all other files accessible by the adm 
>> group).
>>
>> It might make sense to create yet another account 
>> awstats-cgi:awstats-cgi and make awstats member of awstats-cgi group. 
>> Cron job can then pull log files from adm group and write output 
>> accessible by CGI, without CGI script itself having access to 
>> logfiles (and other adm accessible files).
>> 
>> How does that sound?
>
>In my case others=www-data.

Nope - such other group should be a new one, to not by default in 
reality act as a leak, exposing adm content to a wider audience.


>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> I have very limited time, so would appreciate if others would have a 
>> look at this.  To make it easier to follow progress, I recommend 
>> first tightening to generate static-only output, and afterwards 
>> extending with an additional CGI account (not both in same go).
>
>It's not a big difference for me.  Anyway, for static html-generated 
>files we should make $DataDir/* data accessible readonly for www-data.

Not by default.

AWStats is a web analyzer, not a proxy. On a default Debian install, 
logfiles are accessible only by adm group, and it should require an 
admin (or an admin tool) to change access rights, not a web analyzer.


>The main difference between CGI vs static stuff is just a matter of
>the awstats.pl command line parameters in /etc/cron.d/awstats ;-)

I fail to see your point.

The benefit of separating CGI from access to backend data is that 
potential bugs in the code then cannot be abused to do unusual stuff 
with backend data, e.g. read other adm-only data or edit the raw 
logfiles.



>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> >2. Data files writable by awstats, readable by anyone
>> 
>> Bad: Apache2 logfiles are carefully kept readable only by adm group 
>> by default. AWStats should not defeat that by revealing its working 
>> files to the world.
>
>Wrong.  Actually, data files are readable for www-data in effect, see 
>below.
>
>On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
>> >3. DirData has group www-data & permissions 0750
>> 
>> I agree that permissions should be tightened to not be world 
>> readable. But readable by www-data is arguable somewhat equal to 
>> world readable, so that should be configurable.
> 
>Right, defaults to chmod 0750 $DirData & chown awstats:awstats $DirData 
>sounds better, see above (so, for suexec-enabled setup it may not be 
>www-data readable).  But I've no simple solution to avoid this, if the 
>static reports will be a default.

Here's a proposal for a secure setup:

1) Apache2 provides logfiles accessible only by adm group

2) Cron reads logs as root and pipes them (or cp to temp dir and chown)

3) Cron invokes awstats as awstats, saving output accessible by awstats 
group

4) Cron chmod and chown as root the output to match the input


Optionally the admin can change access right for logfiles, and our 
awstats routines will adapt.

Optionally the admin can change cron routines to use other ownership 
and/or access rights for output than that of the input.

Optionally the admin can setup a webserver to provide access to AWStats 
as some user (typically www-data, but can be other user through suexec), 
and if that user happens to have read access to the data, it will work.

We can even help the admin by providing user-friendly ways to do some of 
those optional tasks.  But we should not do any of them by default.

We should not make AWStats provide web-access to analysis of adm-only 
data out-of-the-box, only optionally!


>> >4. crontab examples (I guess, we can install awstats-update
>> >script & manpage, see bug #255938):
>> >cat >> /etc/cron.d/awstats <<EOF
>> >#MAILTO="root"
>> >#30 7 * * * awstats /usr/local/bin/awstats-update
>> >#30 7 * * * awstats /usr/lib/cgi-bin/awstats.pl -config=site.com -update > /dev/null
>> >EOF
>> 
>> Examples are examples: We do not support them, and do not use them.
>
>Ok.  But we should change www-data -> awstats in the cron.d snippet.

Why?

It is an example.  It deliberately uses "site.com" to force the admin to 
discover it and change it to something locally sane.  If by default we 
use an account having great powers, possibly too great, then the admin 
won't notice that security is weakened.


>I suggest to make a release (as you wish) before any big feature 
>changeset.  There is a number of tiny fixes/improvments.

I agree that we should release soon, and postpone complex changes. But I 
disagree that we should release without tightening security: The complex 
changes are not in securing, but in adding optional mechanisms to punch 
holes in a secure-by-default install.

So I suggest securing AWStats and then release:

  * Switch default config to only produce static content
  * Make output accessible only by awstats group (containing only awstats 
user by default)


Current packaging does not work by default

Upcoming packagin will produce data only for admins by default

Future packaging will optionally produce data for others too


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknhCdoACgkQn7DbMsAkQLg+MQCbBcohZQdLk1kyTV/m+Ho9GVPP
9G0An1PEgUqlzigXabe6+A8j1TWb1lW5
=eboc
-----END PGP SIGNATURE-----

More information about the Pkg-awstats-devel mailing list