[Zope] Re: Zope Version
Toby Dickenson
tdickenson at geminidataloggers.com
Tue Mar 23 04:49:08 EST 2004
On Tuesday 23 March 2004 08:44, Chris Withers wrote:
> Toby Dickenson wrote:
> > Zope's own logs are useful in development, but I wouldnt want to have to
> > rely on them in a hostile production environment.
>
> How come?
Suppose your Zope server is compromised. Your event log and access log are
critical for detecting the compromise, and then diagnosing the flaw that led
to the compromise. Currently the Zope server process has privileges to
rewrite all of its log files, so it is possible for anyone who has broken
into a Zope server to remove all traces of their presence.
Apache does this right. Its worker processes run under the 'httpd' uid, but
its log files are accessible only by root. When the worker process is started
it is given a pipe filedescriptor, and a seperate process running as root
copies log entries out of the pipe and into the log file. A compromised
worker process can generate fake log entries, but it cant remove old ones.
--
Toby Dickenson
More information about the Zope
mailing list