[Pkg-awstats-devel] RFC - cron-related stuff

Jonas Smedegaard dr at jones.dk
Sun Apr 12 18:39:03 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Apr 12, 2009 at 09:56:09PM +0400, Sergey B Kirpichev wrote:
>On Sun, Apr 12, 2009 at 07:31:28PM +0200, Jonas Smedegaard wrote:
>> >instead and suggest local admin to chgrp the parsed log files
>> >(only!) to awstats (in /etc/logrotate.d/apache2, for example).  And
>> >leave cron entry
>> >
>> >> >		*/10 * * * * awstats [ -x /usr/lib/cgi-bin/awstats.pl ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null
>> >
>> >It doesn't copy|pipe logs, no new awstats.pl wrappers.  Not bad?
>> 
>> Why do you insist on solutions weakening security?  Do you not 
>> understand my proposal, or do you see/suspect flaws in it?
>
>I don't see any flaws in my modification (it's equal to your proposal 
>in security aspect):
>
>By default awstats user has NO access to log files (adm group).  Only 
>when a local admin chgrp to awstats them (explicitely) - then awstats 
>will have a readonly access.  It's simple and a bit easy to support.  
>No new (buggy ;-)) wrappers for awstats.pl in cron.d/awstats.

There is no flaw in the packaging itself, but you take only a single 
workflow into account, and for that workflow you tell the admin to 
weaken security.

Here's another scenario: Multiple users have shell access to accounts 
also used for webhosting. Each account is sealed in that users cannot 
read each others content - some might contain .htaccess files or other 
security-related files.

For that scenario you cannot tell the admin to make logs readable by 
www-data.  I suspect our packaged routines are completely useless then 
and a parallel set of routines need to be setup locally.  On the other 
hand I suspect my proposal can easily be adapted locally to support 
multiple sets of weblogs.  And we can later extend to such more flexible 
routines without breaking simpler setups.



I would like awstats to support multiple virtual hosts securely.  Not 
now, but later.  I would like to do it right, when we bother our users 
with restructuring the central config files.


Oh, and by the way: Are you aware that when you now dropped the check 
for existence of logfiles in cron job, awstats is invoked each 10 
minutes even there is no webserver installed.  not nice to system 
ressources.  I would prefer to instead get the logfile path from 
/etc/default/awstats with a comment there that central awstats routines 
can be disabled by commenting out that path.

Later we can extend to supporting multiple paths or perhaps globbing.


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkniNUcACgkQn7DbMsAkQLhCNgCfRtu3plj8WKKs+5YcU6BGxiI8
BPAAoJcoHUnCuTf2jhxf+eEVoAHp+nrO
=+Yo2
-----END PGP SIGNATURE-----

More information about the Pkg-awstats-devel mailing list