Can anyone read my web logs?


#1

I find I can read the web logs of other users (not on the same plan) on the same server - log in to the shell and enter e.g. cat …/…/aacc/logs/aaccenter.com/http/access.log

Does this mean that by default anyone on the same server can read my web logs? And other supposedly private files in my home directory?


#2

I tried this out, with two of my user names on the same server. Using UserA I was able to access the logs and index file of UserB (using nano to view the files)

However, I was not able to get a directory list using “ls” and I was denied access to the index file to make changes. I was able to use tab completion for directories and files, but with out knowing the domains a user controling it’s not easy to get access to files.

I can not actually move into the directories (using “cd foo”)
but have to access them within UserA’s directory.

It seems to me this is something of a security threat, but rather low priorty - assuming that only other users on my machine can view files. But if someone comprimises one doamin on a server, does that mean that they/it can also get at my domains - taking out an entire server?

here’s a good example of security threat:
I happen to know that UserA has doman.com with an movable type install in a directory called MT3. using nano I was able to view mt.cfg and mt-db-pass.cgi. Now I have all the information I could need or want about this database and domain.

Does something need to be changed on our servers, or is this a non issue because of the needed prior information about user directories?

-Matttail


#3

The logs are owned by root and have the other read permission set (in order that you can see them). This means anyone who can see your home directory can read your log files.

Files you’ve created yourself and set to be private (i.e. no other permissions set) won’t be accessible by other users.


#4

[quote]with out knowing the domains a user controling it’s not easy to get access to files.

[/quote]

The cracker does know the domains. He reads them from logs\ . Then just put the domain in the dir path, and you can see all its files!

[quote]but rather low priorty - assuming that only other users on my machine can view files.

[/quote]

I don’t see why the fact that threat is confined to from users on the same machine makes it low priority. There are nearly a thousand users on the same machine as I and I have no idea who they are. Not even DH necessarily knows - see the recent DH blog entry about all the crokked signups they are getting.

[quote]But if someone comprimises one doamin on a server, does that mean that
they/it can also get at my domains - taking out an entire server?

[/quote]

“Get at”? Certainly a compromised web site can take out the server - that’s what’s been happening anyway, hence the recent clampdowns by DH e.g. allow_furl_open.

It seems to me this ability of any user to read others’ website files makes it far easier for a cracker to find an entry point.


#5

[quote]anyone who can see your home directory can read your log files.

[/quote]

Thanks.

[quote]Files you’ve created yourself and set to be private (i.e. no other
permissions set) won’t be accessible by other users.

[/quote]

Won’t this by default prang web service?


#6

I happen to know that UserA has doman.com with an movable type install in a directory called MT3. using nano I was able to view mt.cfg and mt-db-pass.cgi.

This will be true only if their site is misconfigured. CGI executable files – at least the ones that contain sensitive information – should be readable by the owner only.


If you want useful replies, ask smart questions.


#7

Static content needs to be world readable so the web server can read it.

CGI scripts (including PHP files run as CGI) and any files only read and written by CGI scripts can be set so only the owner can read and write them.


#8

I’ll take that as a Yes. Thanks.