Debian Bug report logs - #745620
awstats: use adm as user for cron job

version graph

Package: awstats; Maintainer for awstats is Debian QA Group <packages@qa.debian.org>; Source for awstats is src:awstats (PTS, buildd, popcon).

Reported by: Alberto Fuentes <afuentes@qindel.com>

Date: Wed, 23 Apr 2014 12:30:01 UTC

Severity: wishlist

Found in version awstats/7.2+dfsg-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, afuentes@qindel.com, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#745620; Package awstats. (Wed, 23 Apr 2014 12:30:06 GMT) (full text, mbox, link).

Acknowledgement sent to Alberto Fuentes <afuentes@qindel.com>:
New Bug report received and forwarded. Copy sent to afuentes@qindel.com, Sergey B Kirpichev <skirpichev@gmail.com>. (Wed, 23 Apr 2014 12:30:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alberto Fuentes <afuentes@qindel.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: awstats: use adm as user for cron job
Date: Wed, 23 Apr 2014 14:28:04 +0200
Package: awstats
Version: 7.2+dfsg-1
Severity: normal

Out of the suggestions of:

1) Change the rights of the logfiles so that www-data has at least read
   access.  For example:

 * change line in /etc/logrotate.d/apache2 to: "create 644 root adm"
 * change permissions of existing files: chmod 644 /var/log/apache2/*.log

I would just run the cron job as adm so is configured by default on
insallation. Also, no apache logs with o=r

Has this been considered already?



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages awstats depends on:
ii  perl  5.18.2-2+b1

Versions of packages awstats recommends:
ii  coreutils           8.21-1.1
ii  libnet-xwhois-perl  0.90-4

Versions of packages awstats suggests:
ii  apache2              2.4.9-1
ii  apache2-bin [httpd]  2.4.9-1
ii  libgeo-ipfree-perl   1.140470-1
ii  libnet-dns-perl      0.68-1.2
ii  libnet-ip-perl       1.26-1
ii  liburi-perl          1.60-1

-- no debconf information

Severity set to 'wishlist' from 'normal' Request was from Sergey B Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Wed, 23 Apr 2014 12:54:04 GMT) (full text, mbox, link).

Information stored :
Bug#745620; Package awstats. (Wed, 23 Apr 2014 12:54:08 GMT) (full text, mbox, link).

Acknowledgement sent to skirpichev@gmail.com:
Extra info received and filed, but not forwarded. (Wed, 23 Apr 2014 12:54:08 GMT) (full text, mbox, link).

Message #12 received at 745620-quiet@bugs.debian.org (full text, mbox, reply):

From: Sergey B Kirpichev <skirpichev@gmail.com>
To: Alberto Fuentes <afuentes@qindel.com>, 745620-quiet@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#745620: awstats: use adm as user for cron job
Date: Wed, 23 Apr 2014 16:50:15 +0400
severity 745620 wishlist
thanks

On Wed, Apr 23, 2014 at 02:28:04PM +0200, Alberto Fuentes wrote:
> I would just run the cron job as adm so is configured by default on
> insallation. Also, no apache logs with o=r
> 
> Has this been considered already?

Yes, some time ago there was a discussion on maillist:
http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/

The bad thing with this approach - we allow awstats access to all @adm
stuff, which is not good.

Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev <skirpichev@gmail.com>:
Bug#745620; Package awstats. (Wed, 23 Apr 2014 13:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Alberto Fuentes <afuentes@qindel.com>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev <skirpichev@gmail.com>. (Wed, 23 Apr 2014 13:15:04 GMT) (full text, mbox, link).

Message #17 received at 745620@bugs.debian.org (full text, mbox, reply):

From: Alberto Fuentes <afuentes@qindel.com>
To: skirpichev@gmail.com, 745620@bugs.debian.org
Subject: Re: Bug#745620: awstats: use adm as user for cron job
Date: Wed, 23 Apr 2014 15:04:38 +0200
> Yes, some time ago there was a discussion on maillist:
> http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/
>
> The bad thing with this approach - we allow awstats access to all @adm
> stuff, which is not good.
>

sorry, I should had finish reading. It is suggested to be done afterwards

3) Change awstats.pl to group adm (but beware that you are then
   taking the risk of allowing a CGI-script access to admin stuff on
   the machine!).

adm is used as a read only for logs in the system. I still think this is 
preferable than to allow all the users read the apache logs

Running the cronjob as adm  would only be able to read other logs... not 
even to write them even if you manage to craft a log entry that would 
break the cgi to execute random code as adm


"that you are then taking the risk of allowing a CGI-script access to 
admin stuff" sounds more risky than it is.

If you already knew that adm user is used as log read only and still 
think is a bad idea (or has been discussed already with such 
conclusion), please, feel free to close this bug

Greets

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 16 03:48:12 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.