[Pkg-awstats-devel] RFC - cron-related stuff

Jonas Smedegaard dr at jones.dk
Fri Apr 2 11:53:42 UTC 2010 

Hi,

On Fri, Apr 02, 2010 at 01:53:51PM +0400, Sergey B Kirpichev wrote:

>> In other words, you propose to have neither stats nor CGI usable 
>> without admin customization.  Or did I miss something?
>
>No.  Only CGI.

Thanks for your new input, Sergey.  I think I understand you now.

Let me try again - I would really want us to agree completely on what we 
decide to do here, as it (to me at least) is pretty complex and it would 
be great if clarified so much that we can even point others to our 
discussion and they can understand it too :-)

First the syntax of my compact listings:

some entity: executes[as user] < input[:ingroup] > output[user:group]


Now your one single proposal - split into different use cases:


Your proposal - without user interaction:

cron:   logrotate[root] < httpd > logs[root:adm]
cron:   awstats[awstats] < logs[:adm] > stats[awstats:awstats]

Result: Noone can access the stats (as noone by default is member of the 
awstats group).

Problem: requires adding awstats to adm group which in itself is ok, but 
sharing awstats data in a wider context potentially leaks other 
adm-accessible data.

Question: Do you perhaps mean that stats by default should be stored 
readable by the adm group?


Your proposal - user interaction for public access:

cron:   logrotate[root] < httpd > logs[root:adm]
cron:   awstats[awstats] < logs[:adm] > stats[awstats:awstats]
admin: (reconfigure output group: > stats[awstats:www-data])
cgi:    awstats[www-data] < stats[:www-data] > httpd

Result: Awstats stats available to all that can access web server.



Your proposal - user interaction for protected web access:

cron:   logrotate[root] < httpd > logs[root:adm]
cron:   awstats[awstats] < logs[:adm] > stats[awstats:awstats]
admin: (reconfigure output group: > stats[awstats:www-secure])
admin: (configure Apache vhost with suexec or similar)
cgi:    awstats[www-secure] < stats[:www-secure] > httpd[:www-secure]

Result: Awstats stats available to isolated web vhost.



>Optionally, enable web-access stuff.  For example:
>5. chgrp www-data /var/lib/awstats

Not enough: actual files need to be changed too.  I suggest to make it 
configurable which read-only group should be used.

  * debconf asks for group
    * group is created if not existing already
    * awstats user is added to group if not member already
    * answer in /etc/default/awstats
  * awstats cronjob try to use configured group
    * use own group if no group declared in configuration
    * fails silently if group missing or awstats not member



>It's not uncommon to have daily log files ~ several Gb.  Do you really 
>want to copy (rsync) them every 10 minutes?  Between diffrerent disks 
>(e.g., /var/log/ and /var/)...
>
>Second, you can't seek on pipe, so "tiny piping tool" force AWStats to 
>scan over all log file (jet, may be we can use logtail...).
>
>So, "cp" solution is just horrible.  "Tiny piping tool" solution - 
>better, but still very complex, compared with "insecure" "awstats to 
>group adm" solution.
>
>Just to note: webalizer package has the same problem.  It's shipped
>with easy (but "insecure") solution: parse log files as root.  Another
>example is logcheck package (logcheck user belongs to group adm).

Good points!

As mentioned above, adding awstats to adm group is safe in itself, but 
has the potential risk of leaking other adm-accessible data when awstats 
output is also shared with other groups.

I suggest to use your proposed design (i.e. not try to provide a really 
secure design that works out-of-the-box, but also only enable your 
almost-safe design only as an opt-in):

  1) Have the cron job silently fail if logfiles are not accessible
     (as should be the case today already, and mentioned above too)
  2) have debconf ask (default=no!) if awstats should be in adm group.
     * Mention that this may indirectly weaken the discretion of the
       adm group.
     * Conditionally add awstats to adm group based on answer
     * Store answer in /etc/default/awstats


How does that sound?


Kind regards, and thanks for being patient with me,

  - Jonas

-- 
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

   [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20100402/d9e61250/attachment-0001.pgp>

More information about the Pkg-awstats-devel mailing list