I admit I never was a great sysadmin. My most important sysadmin work was almost a decade ago, for Dragons.it (site is dead since a long time ago now, too), on a Windows 2000 Server system on the other side of Italy (in Genova), that was running the site (quite simple), a forum software (and I tried quite a few at the time) and the Sphere emulator for Ultima OnLine. If you were an Italian player at the time you might have heard of Dragons’ Land, or *Heaven*…
Anyway since last November I’ve started sysadmining a vserver to keep this blog running, and the xine bugtracker too (and by the way, thanks again IOS for the hosting). There were a few things that I left TODO before, and I’m now doing them as I see time for them.
One of these things is to let awstats run as an unprivileged user, instead of as root as it was doing before. I’m writing down what I did here, so that I’ll remember if I ever have to do this again.
The first step is of course to create an awstats user, and giving it full access to its home directory
# useradd -d /var/lib/awstats -s /sbin/nologin # chown -R awstats /var/lib/awstats
As the configuration files needs to be read by the user too, let’s make that accessible in read-only mode by that user, leaving write access to root:
# chown -R awstats:root /etc/awstats # chmod 570 /etc/awstats # chmod 460 /etc/awstats/*
As the awstats CGI is ran as lighttpd user, I need to let it access both the
Now, you need to let this user access the webserver logs, in my case I’m using lighttpd, thus the directory I have the logs in is
/var/log/lighttpd, which is owned by the webserver user. To be able to restrict the awstats user access, I need to use ACLs:
# setfacl -m u:awstats:r /var/log/lighttpd/* # setfacl -m u:awstats:rx /var/log/lighttpd # setfacl -d -m u:awstats:rx /var/log/lighttpd
Now it’s time to change the script that executes awstats, in my case on multiple virtual hosts. I’m not posting the whole script as it’s quite fugly, but just the general rule is:
# su -s /bin/sh -c 'perl $path_to_awstats/hostroot/cgi-bin/awstats.pl -config=$your_config -update' awstats
Now of course your awstats CGI has to access both the configuration and the datafiles. ACLs come useful again:
# setfacl -m u:lighttpd:r /etc/awstats/* /var/lib/awstats/* # setfacl -m u:lighttpd:rx /etc/awstats /var/lib/awstats # setfacl -d -m u:lighttpd:rx /etc/awstats /var/lib/awstats
Now of course you can guess that you cannot ask the CGI to parse the logs to regenerate the data, because it doesn’t have permission to write to the datafiles, but that’s exactly what I want :)
Now you have awstats running at the lowest privilege possible, but still able to access what it has to, hopefully this should be a nice mitigation strategy.
[Now of course if someone knows I made a mistake, I’d very much like to hear about it :)]