diff options
| author | dgaudet <dgaudet@unknown> | 1997-12-14 01:57:46 +0100 |
|---|---|---|
| committer | dgaudet <dgaudet@unknown> | 1997-12-14 01:57:46 +0100 |
| commit | 7ff54fd830e66bbffe1c8aa984aa96d79853a4c1 (patch) | |
| tree | 52197362c565a912fcae1e11bc77ac8b026f76cf /docs | |
| parent | We talk about a "proper installation" occasionally... and assume folks know (diff) | |
| download | apache2-7ff54fd830e66bbffe1c8aa984aa96d79853a4c1.tar.xz apache2-7ff54fd830e66bbffe1c8aa984aa96d79853a4c1.zip | |
More tweaks related to serverroot/logs/etc.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@79688 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/manual/misc/security_tips.html | 8 | ||||
| -rw-r--r-- | docs/manual/mod/core.html | 22 | ||||
| -rw-r--r-- | docs/manual/mod/mod_log_config.html | 8 |
3 files changed, 25 insertions, 13 deletions
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html index b1704dd724..715ccb90d7 100644 --- a/docs/manual/misc/security_tips.html +++ b/docs/manual/misc/security_tips.html @@ -62,8 +62,12 @@ be creating files in there. <p>If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next -time you start it, it will execute some arbitrary code. Or someone -could overwrite the logs with arbitrary data. +time you start it, it will execute some arbitrary code. If the logs +directory is writeable (by a non-root user), someone +could replace a log file with a symlink to some other system file, +and then root might overwrite that file with arbitrary data. If the +log files themselves are writeable (by a non-root user), then someone +may be able to overwrite the log itself with bogus data. <P> <HR> <H2>Server Side Includes</H2> diff --git a/docs/manual/mod/core.html b/docs/manual/mod/core.html index a6eaa7e6a0..eb23edb7de 100644 --- a/docs/manual/mod/core.html +++ b/docs/manual/mod/core.html @@ -570,7 +570,7 @@ Example: <blockquote><code>ErrorLog /dev/null</code></blockquote> This effectively turns off error logging.<p> -SECURITY: See the <A HREF="../misc/security_tips.html">security tips</A> +SECURITY: See the <A HREF="../misc/security_tips.html#serverroot">security tips</A> document for details on why your security could be compromised if the directory where logfiles are stored is writable by anyone other than the user that starts the server. @@ -1025,9 +1025,12 @@ The LockFile directive sets the path to the lockfile used when Apache is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at its default value. The main reason for changing it is if -the <code>logs</code> directory is NFS mounted, since the lockfile -should be stored on a local disk if possible. The PID of the main -server process is automatically appended to the filename. +the <code>logs</code> directory is NFS mounted, since <b>the lockfile +must be stored on a local disk</b>. The PID of the main +server process is automatically appended to the filename. <p> + +The LockFile is subject to the same warnings about log file placement and +<a href="../misc/security_tips.html#serverroot">security</a>. <P><HR> @@ -1245,7 +1248,7 @@ re-reads its configuration files. This is done by sending a SIGHUP (kill -1) signal to the process id listed in the PidFile.<p> The PidFile is subject to the same warnings about log file placement and -<a href="../misc/security_tips.html">security</a>. +<a href="../misc/security_tips.html#serverroot">security</a>. <p><hr> @@ -1569,8 +1572,13 @@ use with <a href="../vhosts/index.html">name-based virtual hosts</a>. The ServerRoot directive sets the directory in which the server lives. Typically it will contain the subdirectories <code>conf/</code> and <code>logs/</code>. Relative paths for other configuration files are taken -as relative to this directory.<br> -See also <a href="../invoking.html">the <code>-d</code> option to httpd</a>.<p><hr> +as relative to this directory.<p> + +See also <a href="../invoking.html">the <code>-d</code> option to httpd</a>.<p> +See also <a href="../misc/security_tips.html#serverroot">the security tips</a> +for information on how to properly set permissions on the ServerRoot.<p> + +<hr> <h2><A name="servertype">ServerType directive</A></h2> <!--%plaintext <?INDEX {\tt ServerType} directive> --> diff --git a/docs/manual/mod/mod_log_config.html b/docs/manual/mod/mod_log_config.html index 76ebb56c00..c0a9369096 100644 --- a/docs/manual/mod/mod_log_config.html +++ b/docs/manual/mod/mod_log_config.html @@ -173,10 +173,10 @@ See the examples below. <h2>Security Considerations</h2> -See the <A HREF="../misc/security_tips.html">security tips</A> document -for details on why your security could be compromised if the directory -where logfiles are stored is writable by anyone other than the user -that starts the server. +See the <A HREF="../misc/security_tips.html#security">security tips</A> +document for details on why your security could be compromised if the +directory where logfiles are stored is writable by anyone other than +the user that starts the server. <p> <h2>Directives</h2> |