Charles Fry wrote:
Simple workaround of security problem is run cron script as root. Thus apache statistics will be easily parsed and resulted files will be created as www-data visiable and usable from cgi script.Hi Olleg, Can you please indicate which security problem you are referring to?
Excuse me. from README.Debian:
By default Apache stores (since version 1.3.22-1) logfiles with uid=root and
gid=adm, so you need to either...
1) Change the rights of the logfiles in /etc/logrotate.d/apache so that
www-data has at least read access.
2) As 1) but change to a specific user, and use the suEXEC feature of Apache
to run as same user (and either change the right of /var/lib/awstats as
well or use another directory). This is more complicated, but then the logs
are not generally accessible to the server (which was probably the point of
the Apache default).
3) Change awstats.pl to group adm (but beware that you are then taking the
risk of allowing a CGI-script access to admin stuff on the machine!).
This all require manual setup after install awstats.Running cron script under root solve this problem too. Cron script will read apache log files with default root rights and write to awstats database with www-data rights, visible to cgi script. And this will not require manual setup after installation.
In general, running scripts as root should be avoided as that is itself a security problem.
I don't see any security hole in running cron script (not cgi) under root, because only root can change cron script or it's parameters.
-- Olleg Samoylov
smime.p7s
Description: S/MIME Cryptographic Signature
