Re: apache+ssl 1.13 symlink problem

[ben () ALGROUP CO UK (Ben Laurie)]

Ondrej Suchy wrote:
> Hi all.
> Sorry if this was already mentioned, but ...
>
> Apache SSL server has similar symlink problem as updatedb (and thousands
>
> of others programs).
> I don't know about the other versions, but at least ssl 1.13 patch for
> apache 1.2.5 contains following line in default configuration:
>   SSLLogFile   /tmp/ssl.log
> which makes httpsd log it's activity to that file. Any file can be
> linked to /tmp/ssl.log and httpsd will happily append something like
> "CIPHER is blah-blah" to it.
> I could not make it to root access, but I can't say it's impossible.
> (Maybe through .rhosts?)
>
> Note that this problem is not affected by setting the User and Group
> directives in the configuration to nobody or other unprivileged user,
> since httpd often starts as root, writes to log files and THEN changes
> its uid.
>
> (There is probably the same problem with /tmp/ssldebug log file, I
> didn't test it.)

The /tmp/ssldebug file is not created if you use an up-to-date version
of SSLeay (i.e. v 0.8.x). However, as a precaution, I will comment it
out for future versions.

/tmp/ssl.log may be a risk - I will document it as such for future
versions, but I'd note that the example config (which is _not_ a default
config) will not generally work on any system except mine, so this
directive would only be included in a real config if included by the
sysadmin.

Thanks for the report. It would've been courteous to let me do something
about it before posting to a public forum, though.

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben () algroup co uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache