Apache vs LiteSpeed permissions

Discussion in 'Apache Migration/Compatibility' started by mabonyi, Sep 25, 2006.

  1. mabonyi

    mabonyi New Member

    After converting some sites from Apache 1.3 to LiteSpeed 2.2.2, the one hitch I noticed was that the access and error logs created by LiteSpeed were owned by the web server whereas Apache creates file descriptors before changing user. Isn't the web server supposed to own as little as possible? This element of LiteSpeed also extends to owning the configuration files and DEFAULT directory. If LiteSpeed logged as root, however, it could seamlessly replace the standard Apache setup without, potentially dangerously, changing ownership of certain files.

    Perhaps it would be better if there was an option to perform logging as a different user or through the parent lshttpd.
  2. mabonyi

    mabonyi New Member

    Addendum

    Litespeed only actively changes the ownership of error logs; access logs take on whatever permissions they have. Is this intentional and if so, why?
  3. mistwang

    mistwang LiteSpeed Staff

    Yes, it is intentional. LSWS does on-the-fly log file rotation, it requires a child lshttpd process to reopen log files for writing, the log file owner will be changed to the user that web server running as.

    The log file will only be created by the parent web server running as 'root' then change the ownership, the log file directory should be owned by root and other users is not allowed to create any file there. CGI scripts should be started in SuEXEC mode, no CGI script should be able to write to the log file. It is not perfect but should not be a security problem when setup properly.

    Logging everything through the parent process could be a solution, but the performance pqnelty is pretty big when many data need to be logged.
  4. mabonyi

    mabonyi New Member

    So to confirm, this is the appropriate setup:

    drwxr-xr-x root admin /srv
    drwxr-xr-x root admin /srv/www
    drwxr-x--- root admin /srv/www/logs
    -rw-r----- root admin /srv/www/logs/access.log
    -rw-r----- lsws lsws /srv/www/logs/error.log

    In other words, any access by lsws to access.log and error.log will be denied except when forwarded by the parent lshttpd, right?
  5. mistwang

    mistwang LiteSpeed Staff

    Parent lshttpd does not forward file handler to children lshttpd prcess for access.log and error.log when a log file has been rotated.
    access.log should be owned by lsws:lsws, and user 'lsws' should have permission to open a file for under directory '/srv/www/logs', so "0755" permission mask might be required. Or, 'lsws' is a member of "admin" group.

Share This Page