[Zope-Coders] new zLOG

[Toby Dickenson]

On Wednesday 27 November 2002 3:08 pm, Guido van Rossum wrote:
> > The fundamental problem with the stupid log is that the log file is
> > opened by the same process which generates the log events. There are
> > several solutions, but all involve adding an additional process to
> > perform the writing to file.  For security it is important that this
> > new process is not running as the same user id as the zope process.
>
> Can you explain the reasoning for this (I know, once again)?

One use of this file is to prove that your server has not been compromise=
d by=20
an attacker. Alternatively, to find out how it was compromised. We need t=
o=20
ensure that a successful attacker can not destroy the log files that cont=
ain=20
evidence of his attack.

This means:

a. The Zope user can not open or unlink the log files.
b. The Zope process does not have a filedescriptor to the log file, other=
wise=20
an attacker could truncate()

[There have been other problems mentioned in this thread. I think these a=
ll go=20
away if you solve this one key problem]

> Your remarks below imply that in
> order to be secure, the logger must be started as root,

[later]
> (Couldn't it be a set-uid program?  Or is that yet another security
> violation?)

If it allows its caller to specify where the log file is written, then ye=
s. It=20
is an inconvenience if it doesnt, but I dont see a security hole.=20

> yet the whole
> point of this thread is that we don't want the logfile to be written
> as root.

A logfile written as root comes to be a problem when zope performs log=20
rotation after dropping root privelidges.=20

Note that apache running under an 'httpd' user writes its log files as ro=
ot=20
because it uses a pipe like my option 2 below, and the logger process ret=
ains=20
root privelidges.