[Pkg-awstats-devel] EnableLockForUpdate option
Andreas Henriksson
andreas at fatal.se
Wed May 6 10:42:44 UTC 2009
On Wed, May 06, 2009 at 12:39:02PM +0400, Sergey B Kirpichev wrote:
> Hello,
>
> Why we can't enable this option by default?
>
> Pros: When the update process runs, AWStats can set a lock file in TEMP or
> TMP directory. This lock (/tmp/awstats.$SiteDomain.lock) is to avoid to
Haven't looked at the actual implementation but a well-known
filename in /tmp sounds like a bad idea...
Any well-known-and-writable-by-www-data is probably a bad idea...
Could possibly be solved by creating awstats.$domain.$random.lock and others
searching for awstats.$domain.*.lock, which would prevent the tempfile
vulnerability but would probably cause possibility of races and DoS vuln.
(Anyone could write a awstats.$domain.*.lock via www-data and prevent awstats
from running.)
I can't find a good solution that's compatible with awstats running as
www-data .... maybe we should just stop supporting the config option
of supporting "updates on demand" and stop running as www-data (if that
hasn't happened already, I haven't been keeping up to date unfortunately).
--
Andreas Henriksson
More information about the Pkg-awstats-devel
mailing list