Toby Dickenson wrote:
Suppose your Zope server is compromised. Your event log and access log are critical for detecting the compromise, and then diagnosing the flaw that led to the compromise. Currently the Zope server process has privileges to rewrite all of its log files, so it is possible for anyone who has broken into a Zope server to remove all traces of their presence.
Apache does this right. Its worker processes run under the 'httpd' uid, but its log files are accessible only by root. When the worker process is started it is given a pipe filedescriptor, and a seperate process running as root copies log entries out of the pipe and into the log file. A compromised worker process can generate fake log entries, but it cant remove old ones.
Uh... or you could just write the logs to a pipe and have a non-privileged reader process write them to disk. Like, oh, daemontools. -- Jamie Heilman http://audible.transient.net/~jamie/