On Tuesday 23 March 2004 08:44, Chris Withers wrote:
Toby Dickenson wrote:
Zope's own logs are useful in development, but I wouldnt want to have to rely on them in a hostile production environment.
How come?
Suppose your Zope server is compromised. Your event log and access log are critical for detecting the compromise, and then diagnosing the flaw that led to the compromise. Currently the Zope server process has privileges to rewrite all of its log files, so it is possible for anyone who has broken into a Zope server to remove all traces of their presence. Apache does this right. Its worker processes run under the 'httpd' uid, but its log files are accessible only by root. When the worker process is started it is given a pipe filedescriptor, and a seperate process running as root copies log entries out of the pipe and into the log file. A compromised worker process can generate fake log entries, but it cant remove old ones. -- Toby Dickenson