Bug 63685 - Webalizer doesn't need root priviages
Summary: Webalizer doesn't need root priviages
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: webalizer
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-04-17 14:09 UTC by Andrew Bartlett
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-06-06 14:02:31 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrew Bartlett 2002-04-17 14:09:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311

Description of problem:
Even if the latest Bugtraq post on webaliser isn't an issue - there is no reason
this product needs to run as root.

At my site, I use webaliser for both httpd and squid logs.  Both are set to run
under an unpriliaged user, via a 'su' wrapper in the crontab. It works fine.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install webalizer
2. look at system crontab file
3. see webalizer runing with *way* too many privs
	

Actual Results:  Webalizer runs as root

Expected Results:  Webalizer running as unpriviaged user - owning the 'usage'
dir and nothing else.

Additional info:

By default, webserver logs are world-readable.  This may be another bug, but it
does emphisise the fact that we simply don't need root privs to do this job.

Even when logfiles are 'locked down' simply putting webalizer in a 'web-logs'
group (owning the logdir) works quite fine.
Comment 1 Chris Ricker 2002-06-06 14:02:22 UTC 
This is still broken in 7.3
Comment 2 Ngo Than 2002-06-21 21:05:18 UTC 
it's fixed in 2.01_10-5
Note You need to log in before you can comment on or make changes to this bug.