Debian Bug report logs -
#745620
awstats: use adm as user for cron job
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, afuentes@qindel.com, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#745620; Package awstats.
(Wed, 23 Apr 2014 12:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Alberto Fuentes <afuentes@qindel.com>:
New Bug report received and forwarded. Copy sent to afuentes@qindel.com, Sergey B Kirpichev <skirpichev@gmail.com>.
(Wed, 23 Apr 2014 12:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: awstats
Version: 7.2+dfsg-1
Severity: normal
Out of the suggestions of:
1) Change the rights of the logfiles so that www-data has at least read
access. For example:
* change line in /etc/logrotate.d/apache2 to: "create 644 root adm"
* change permissions of existing files: chmod 644 /var/log/apache2/*.log
I would just run the cron job as adm so is configured by default on
insallation. Also, no apache logs with o=r
Has this been considered already?
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages awstats depends on:
ii perl 5.18.2-2+b1
Versions of packages awstats recommends:
ii coreutils 8.21-1.1
ii libnet-xwhois-perl 0.90-4
Versions of packages awstats suggests:
ii apache2 2.4.9-1
ii apache2-bin [httpd] 2.4.9-1
ii libgeo-ipfree-perl 1.140470-1
ii libnet-dns-perl 0.68-1.2
ii libnet-ip-perl 1.26-1
ii liburi-perl 1.60-1
-- no debconf information
Severity set to 'wishlist' from 'normal'
Request was from Sergey B Kirpichev <skirpichev@gmail.com>
to control@bugs.debian.org.
(Wed, 23 Apr 2014 12:54:04 GMT) (full text, mbox, link).
Information stored
:
Bug#745620; Package awstats.
(Wed, 23 Apr 2014 12:54:08 GMT) (full text, mbox, link).
Acknowledgement sent
to skirpichev@gmail.com:
Extra info received and filed, but not forwarded.
(Wed, 23 Apr 2014 12:54:08 GMT) (full text, mbox, link).
Message #12 received at 745620-quiet@bugs.debian.org (full text, mbox, reply):
severity 745620 wishlist
thanks
On Wed, Apr 23, 2014 at 02:28:04PM +0200, Alberto Fuentes wrote:
> I would just run the cron job as adm so is configured by default on
> insallation. Also, no apache logs with o=r
>
> Has this been considered already?
Yes, some time ago there was a discussion on maillist:
http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/
The bad thing with this approach - we allow awstats access to all @adm
stuff, which is not good.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#745620; Package awstats.
(Wed, 23 Apr 2014 13:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alberto Fuentes <afuentes@qindel.com>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev <skirpichev@gmail.com>.
(Wed, 23 Apr 2014 13:15:04 GMT) (full text, mbox, link).
Message #17 received at 745620@bugs.debian.org (full text, mbox, reply):
> Yes, some time ago there was a discussion on maillist:
> http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/
>
> The bad thing with this approach - we allow awstats access to all @adm
> stuff, which is not good.
>
sorry, I should had finish reading. It is suggested to be done afterwards
3) Change awstats.pl to group adm (but beware that you are then
taking the risk of allowing a CGI-script access to admin stuff on
the machine!).
adm is used as a read only for logs in the system. I still think this is
preferable than to allow all the users read the apache logs
Running the cronjob as adm would only be able to read other logs... not
even to write them even if you manage to craft a log entry that would
break the cgi to execute random code as adm
"that you are then taking the risk of allowing a CGI-script access to
admin stuff" sounds more risky than it is.
If you already knew that adm user is used as log read only and still
think is a bad idea (or has been discussed already with such
conclusion), please, feel free to close this bug
Greets
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Apr 16 03:48:12 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.