3

I'm both senior developer and sysadmin in my company, so i'm trying to deal with the needs of both activities.

I've set up our apache box, wich deals with 30-50 domains atm (and hopefully will grow larger) and hosts both production and development sites, with this directory structure:

domains/
domains/domain.ext/ #FTPS chroot for user domain.ext
domains/domain.ext/public  #the DocumentRoot of http://domain.ext
domains/domain.ext/logs
domains/domain.ext/subdomains/sub.domain.ext
domains/domain.ext/subdomains/sub.domain.ext/public  #DocumentRoot of http://sub.domain.ext

Each domain.ext Vhost runs with his dedicated user and group via mpm-itk, umask being 027, and the logs are stored via a piped sudo command, like this:

ErrorLog "| /usr/bin/sudo -u nobody -g domain.ext tee -a domains/domain.ext/logs/sub.domain.ext_error.log"
CustomLog "| /usr/bin/sudo -u nobody -g domain.ext tee -a domains/domain.ext/logs/sub.domain.ext_access.log" combined

Now, i've read a lot about not letting the logs out of a very restricted directory, but the developers often need to give a quick look to a particular subdomain error log, and i don't really want to give them admin rights to look into /var/logs. Having them available into the ftp account is REALLY handy during development stages.

Do you think this setup is viable and safe enough? To me it is apparently looking good, but i'm concerned about 3 security issues:

-is the sudo pipe enough to deal with symlink exploits? Any catches i'm missing?

-log dos: logs are in the same partition of all domains. got hundreds of gigs, but still, if one get disk-space dos'd, everything will break. Any workaround? Will a short timed logrotate suffice?

-file descriptors limits: AFAIK the default limit for Apache on Ubuntu Server is currently 8192, which should be plenty enough to handle 2 log files per subdomain. Is it? Am i missing something?

I hope to read some thoughts on the matter!

Stefano Torresi
  • 133
  • 3

1 Answers1

0

Potential resolution to this is to create a separate folder on /var/log/vhostlogs, create folder for each vhost folder and chown it to root and others and groups no access and use setacl on the folder so the files created inside will have read permission to user associated with that vhost every time they are created. Then you can make sure that each current logfile is hardlinked to domains/domain.ext/logs/current.log.

This way regardless chroot is on or off, users should not read each other log files, as well inside chroot they should be able to read the current log and unable to abuse it, because apache is writing on root permissions to /var/log safetely (no write access to anyone except root).

Andrew Smith
  • 1,123
  • 13
  • 23
  • ps. I can see the way of filling up the 1TB of apache log during the day as I guess this would require a 1 billion of viewers. – Andrew Smith Jun 16 '12 at 12:36
  • ps2. Obviously this would be domains/logs and not /var/log/vhostslogs – Andrew Smith Jun 16 '12 at 12:37
  • ps3. And easy way would be to completely re-create the logs folder in each chroot with symlinks during logrotate. Simply add this to postrotate i configuration file. – Andrew Smith Jun 16 '12 at 12:45