Log file security

Open jeroenvermeulen opened this issue 9 years ago • 2 comments

@danghvu Thank you for this great extension.

There is one security concern I have. I am using Ubuntu Trusty. The log mod_dumpost creates are owned by www-data:www-data and chmod 644. All other logs Apache creates are owned by root:adm. They can be stored in a dir with chmod 700 + chown root, making it impossible for users to read the logs. The logs mod_dumpost creates are a lot less secure. Is it possible for you to improve this?

Jul 13 '16 12:07 jeroenvermeulen

Yes I am aware of this -- the module is not meant for production code so I just wonder if there is a real need.

Jul 13 '16 13:07 danghvu

Ah... I was planning to try it in production :-)

Jul 13 '16 13:07 jeroenvermeulen