[Pkg-awstats-devel] RFC - cron-related stuff
Sergey B Kirpichev
skirpichev at gmail.com
Sat Apr 11 18:56:56 UTC 2009
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> >1. system user awstats (cron jobs owner) in group adm
>
> Bad, when used as a CGI script: Gives writes access from anonymous web
> users to all adm-writable files!
Wrong, just readonly access for www-data, see below (steps 2 and 3 of
the original RFC).
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> AWStats analyze data that is by default readable only by admins, so our
> output should by default also be accessible only by admins, but
> optionally readable by others too.
You want to access web statistics from web, isn't? Then, it must be
accessible readonly for www-data (Either generated html-files or awstats
data files, doesn't matter). See below for suexec-like setup.
We can protect CGI-script or static html-files, by some kind of HTTP
access control (e.g., only accessible from 127.0.0.1 by default) in
/usr/share/doc/awstats/examples/apache.conf.
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> Those "others" might be the whole world, or it might be another limited
> group than admins. So it seems to me that it is better to create an
> awstats:awstats account (i.e. both username and groupname awstats),
> allowing the local admin the flexibility of either adding awstats to
> other groups or add other users to awstats group (without then granting
> them access to all other files accessible by the adm group).
>
> It might make sense to create yet another account
> awstats-cgi:awstats-cgi and make awstats member of awstats-cgi group.
> Cron job can then pull log files from adm group and write output
> accessible by CGI, without CGI script itself having access to logfiles
> (and other adm accessible files).
>
> How does that sound?
In my case others=www-data.
But yes, the more flexible way is:
adduser --system --home /var/lib/awstats --shell /bin/sh --ingroup adm awstats
chown awstats:awstats /var/lib/awstats
chmod 0750 /var/lib/awstats
Then, for example (this looks almost identical to my original setup and
seems unavoidable for static html-reports), per default:
usermod -aG awstats www-data
or (with suexec or dedicated web server):
usermod -aG awstats awstats-cgi
The last case looks overcomplicated for me (as per default). But
README.Debian can suggest one.
Not bad?
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> I have very limited time, so would appreciate if others would have a
> look at this. To make it easier to follow progress, I recommend first
> tightening to generate static-only output, and afterwards extending with
> an additional CGI account (not both in same go).
It's not a big difference for me. Anyway, for static html-generated
files we should make $DataDir/* data accessible readonly for www-data.
The main difference between CGI vs static stuff is just a matter of
the awstats.pl command line parameters in /etc/cron.d/awstats ;-)
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> >2. Data files writable by awstats, readable by anyone
>
> Bad: Apache2 logfiles are carefully kept readable only by adm group by
> default. AWStats should not defeat that by revealing its working files
> to the world.
Wrong. Actually, data files are readable for www-data in effect, see below.
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> >3. DirData has group www-data & permissions 0750
>
> I agree that permissions should be tightened to not be world readable.
> But readable by www-data is arguable somewhat equal to world readable,
> so that should be configurable.
Right, defaults to chmod 0750 $DirData & chown awstats:awstats $DirData
sounds better, see above (so, for suexec-enabled setup it may not be
www-data readable). But I've no simple solution to avoid this, if
the static reports will be a default.
> >4. crontab examples (I guess, we can install awstats-update
> >script & manpage, see bug #255938):
> >cat >> /etc/cron.d/awstats <<EOF
> >#MAILTO="root"
> >#30 7 * * * awstats /usr/local/bin/awstats-update
> >#30 7 * * * awstats /usr/lib/cgi-bin/awstats.pl -config=site.com -update > /dev/null
> >EOF
>
> Examples are examples: We do not support them, and do not use them.
Ok. But we should change www-data -> awstats in the cron.d snippet.
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> Let's write to /var/lib/awstats/... and provide config snippets for web
> servers redirecting /awstats to use that directory.
>
> While we are at it, those snippets should then by default be protected
> to e.g. only accessible from 127.0.0.1 (like CUPS and other
> administrative web services).
Agree.
On Sat, Apr 11, 2009 at 02:40:22PM +0200, Jonas Smedegaard wrote:
> >If user wants AllowToUpdateStatsFromBrowser=1 (disabled by default), we
> >can suggest suexec-like stuff in README.Debian.
>
> Well, we can try to document that, but if we start by protecting direct
> access to adm-only files, it gets messy to unlock it again.
>
> I'd say we should first tighten security, and then (maybe!) afterwards
> try documenting how to weaken security.
Right. But my point is that dedicated user for CGI-access -- just too
complicated setup for default.
PS:
I suggest to make a release (as you wish) before any big feature
changeset. There is a number of tiny fixes/improvments.
More information about the Pkg-awstats-devel
mailing list