Thanks for this post. This is a change I needed to make. If you are running a recent version of apache, the cron job can be fixed by editing cron.conf in /etc/apache. Set the variable APACHE_CHOWN_LOGFILES to 0. Be default it is 1.
Ernest Johanson Web Systems Administrator Fuller Theological Seminary On Thu, 25 May 2000, Ethan Benson wrote: > Date: Thu, 25 May 2000 20:07:10 -0800 > From: Ethan Benson <[EMAIL PROTECTED]> > To: Ian Zimmerman <[EMAIL PROTECTED]> > Cc: debian-user@lists.debian.org > Subject: Re: apache question > > --sGwo475CiIwWEjLI > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: quoted-printable > > On Thu, May 25, 2000 at 08:25:08PM -0700, Ian Zimmerman wrote: > >=20 > > Ethan> however one thing you should do on a debian system is chown > > Ethan> /var/www to root and make sure its not group writable. also > > Ethan> chown /var/log/apache/* to root.adm and make sure the > > Ethan> permissions are 640 or 644. (you have to fix the apache cron > > Ethan> jobs to not undo this change) > >=20 > > Ethan> for some insane reason debian leaves the www-root owned by > > Ethan> www-data.www-data (the same user debian runs apache as) along > > Ethan> with the logs. this is totally wrong as the web server user > > Ethan> should NOT own files or have any write permission to anything. > > Ethan> if it does then all it takes is one of those unprivileged child > > Ethan> processes to be exploited and your web site can be replaced and > > Ethan> your logs can be removed. bad bad bad. > >=20
