Red Hat Bugzilla – Bug 63685
Webalizer doesn't need root priviages
Last modified: 2008-05-01 11:38:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311
Description of problem:
Even if the latest Bugtraq post on webaliser isn't an issue - there is no reason
this product needs to run as root.
At my site, I use webaliser for both httpd and squid logs. Both are set to run
under an unpriliaged user, via a 'su' wrapper in the crontab. It works fine.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install webalizer
2. look at system crontab file
3. see webalizer runing with *way* too many privs
Actual Results: Webalizer runs as root
Expected Results: Webalizer running as unpriviaged user - owning the 'usage'
dir and nothing else.
By default, webserver logs are world-readable. This may be another bug, but it
does emphisise the fact that we simply don't need root privs to do this job.
Even when logfiles are 'locked down' simply putting webalizer in a 'web-logs'
group (owning the logdir) works quite fine.
This is still broken in 7.3
it's fixed in 2.01_10-5