Apache vs LiteSpeed permissions

[mabonyi]

After converting some sites from Apache 1.3 to LiteSpeed 2.2.2, the one hitch I noticed was that the access and error logs created by LiteSpeed were owned by the web server whereas Apache creates file descriptors before changing user. Isn't the web server supposed to own as little as possible? This element of LiteSpeed also extends to owning the configuration files and DEFAULT directory. If LiteSpeed logged as root, however, it could seamlessly replace the standard Apache setup without, potentially dangerously, changing ownership of certain files.

Perhaps it would be better if there was an option to perform logging as a different user or through the parent lshttpd.

 

[mabonyi]

Addendum

Litespeed only actively changes the ownership of error logs; access logs take on whatever permissions they have. Is this intentional and if so, why?

 

[mistwang]

Yes, it is intentional. LSWS does on-the-fly log file rotation, it requires a child lshttpd process to reopen log files for writing, the log file owner will be changed to the user that web server running as.

The log file will only be created by the parent web server running as 'root' then change the ownership, the log file directory should be owned by root and other users is not allowed to create any file there. CGI scripts should be started in SuEXEC mode, no CGI script should be able to write to the log file. It is not perfect but should not be a security problem when setup properly.

Logging everything through the parent process could be a solution, but the performance pqnelty is pretty big when many data need to be logged.

 

[mabonyi]

So to confirm, this is the appropriate setup:

drwxr-xr-x root admin /srv
drwxr-xr-x root admin /srv/www
drwxr-x--- root admin /srv/www/logs
-rw-r----- root admin /srv/www/logs/access.log
-rw-r----- lsws lsws /srv/www/logs/error.log

In other words, any access by lsws to access.log and error.log will be denied except when forwarded by the parent lshttpd, right?

 

[mistwang]

Parent lshttpd does not forward file handler to children lshttpd prcess for access.log and error.log when a log file has been rotated.
access.log should be owned by lsws:lsws, and user 'lsws' should have permission to open a file for under directory '/srv/www/logs', so "0755" permission mask might be required. Or, 'lsws' is a member of "admin" group.