[Pkg-awstats-devel] RFC - cron-related stuff
Sergey B Kirpichev
skirpichev at gmail.com
Sun Apr 12 16:06:23 UTC 2009
> But I find in inaccurate to call it lack of "working state": If AWStats
> by default analyzes Apache2 logfiles and store the result readable only
> by adm group (or some other group not by default containing other
> members than adm group) then AWStats is in a working state!
>
> * log analyzer (default: output readable by adm group or by none)
> * log analysis browser (default: no data accessible to browse)
>
> AWStats is designed without this separation: By default same config file
> is used for both tasks, requiring the backend security to be lowered.
Ok.
But my strong suspection is > 50% of users work with awstats package
both as log parser and web frontend (on the same host).
> >> Here's a proposal for a secure setup:
> >> 2) Cron reads logs as root and pipes them (or cp to temp dir and chown)
> >> 3) Cron invokes awstats as awstats, saving output accessible by awstats
> >> group
> >> 4) Cron chmod and chown as root the output to match the input
> >
> >Looks too complicated. What's wrong with my previous setup:
> >
> > adduser --system --home /var/lib/awstats --shell /bin/sh --ingroup adm awstats
> > chown awstats:awstats /var/lib/awstats
> > chmod 0750 /var/lib/awstats
> >?
>
> With my proposal we only need to trust our tiny cron script running as
> root to not contain security flaws regarding access to adm data.
Ok. But we can use
adduser --system --home /var/lib/awstats --shell /bin/sh awstats
instead and suggest local admin to chgrp the parsed log files
(only!) to awstats (in /etc/logrotate.d/apache2, for example). And
leave cron entry
> > */10 * * * * awstats [ -x /usr/lib/cgi-bin/awstats.pl ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null
It doesn't copy|pipe logs, no new awstats.pl wrappers. Not bad?
More information about the Pkg-awstats-devel
mailing list