This came up in a comment to another question and I'd love it if someone could explain the reasons for this to me.
I suggested having Apache log the errors for a given VHost to a user's home directory. This was shot down because it was insecure. Why?
I asked for clarification in a reply comment but all I got was that it's insecure to have root writing in a folder not owned by root. Again, could someone explain?
Thanks,
Bart.
Because an evil user can maliciously try to point the file
rootis writing to a different location. This is not so simple, but really possible.As an example, if a user would find the way to make a symlink from the supposed Apache log to, say, /etc/shadow you'll suddenly have an unusable system. Apache (
root) would overwrite your users' credentials making the system faulty.If the access.log file is not writable by the user it can be difficult to hijack it, but avoiding the possibility is better!
A possibility could be to use logrotate to do the job, creating the link to a file not already existing, but that logrotate will overwrite as soon as the logs grows:
Note:
The symlink method is only one of the possible attacks, given as a proof of concept.
Security has to be made with a White List mind, not blacklisting what we know to be an issue.
The general principle of not having processes write into a directory they don't own or trust is a good one. But in this particular case, it's reasonable to trust that the Apache code opens the log with
O_NOFOLLOWetc: logging into a user's home directory is a common setup.