Pipelog running with incorrect permissions

priestjim

Well-Known Member
#1
Hi!

We are experiencing a very severe issue that prevents LSWS from writing correctly the access logs and as a result prevents statistics creation for our clients. I've pinned down the issue and it goes like this:

Plesk Panel uses a special pipelog configuration to overcome the file descriptor issue and support more vhosts and access logs, which is defined in a custom plesk configuration file included in the original httpd.conf. The pipelog executable in which access logs are piped is owned by root.

As LSWS is running in apache.apache permissions, it spawns the pipelog with apache permissions as well.

Apache spawns the pipelog with the initial parent process owner, which is root (even though it creates processes running as apache user) which is the correct and predicted behavior from Plesk.

This would not be a problem if it weren't for a simple fact: the logs directory (/var/www/vhosts/domain.com/statistics/logs) as managed by Plesk is only user writeable and it is owned by root, thus making the creation of a file inside it owned by the apache user impossible and as a result, making LSWS's spawned pipelog fail in creating the access_log file. Apache works correctly (pipelog is root-owned)

A workaround would be to make LSWS run as root but it is insecure and a hack fix. I would propose even if it is not possible to make Litespeed spawn pipelogs with an initial parent process ownership, at least spawn these processes with their respective file owners, adding a layer of flexibility and security that even Apache does not have.
 

mistwang

LiteSpeed Staff
#2
For security reason, LiteSpeed wont start untrusted process as root.

A quick solution is to create a "setUid" wrapper for the piped logger, so it could run as root.
 
Top