Ubuntu
apache2 package

CustomLog directive in apache2.conf makes it impossible to change default logging without editing the global config.

Bug #507616 reported by Lawren Quigley-Jones
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: apache2

Ubuntu Karmic
apache2 - 2.2.12-1ubuntu2.1

The following line in apache2.conf is a global, un-editable configuration:
     CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined

In hardy logging was configured in the default site configuration. By adding this configuration line it becomes impossible to change or disable the default logging behavior without editing apache2.conf .

I install a standard apache configuration file into /etc/apache2/conf.d/ which configures apache to log to syslog. In hardy this config file overrides the global behavior, but this does not seem to be possible in Karmic. Documentation I've read suggests that CustomLog declarations within a virtualhost will override global declarations, but multiple CustomLog declarations are complementary.

CVE References

Chuck Short (zulcss)
Changed in apache2 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

You can and should edit apache2.conf in this case. I think the number of users who profit from a fall back access log is much higher than the number of users who want to disable the access log altogether

Changed in apache2 (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Lawren Quigley-Jones (lawrenqj) wrote :

The problem with editing apache2.conf is that future distro changes get lost. Once you edit a config file the end user is given two options during an upgrade. They can either replace the current file with the packaged maintainer's file or keep the edited file. So either the system loses the local change or else it because distinct to a default ubuntu configuration. The greater problem is depending on which version of apache2 was installed at the point that the change was made, the configuration can look different.

If this log line was moved to a file within conf.d then I could set up a divert which over-wrote the config without disrupting the package maintainers future changes.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.9 KiB)

This bug was fixed in the package apache2 - 2.2.15-5ubuntu1

---------------
apache2 (2.2.15-5ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree.
    - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
    + Dropped:
      - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
      - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
      - debian/config-dir/apache2.conf: Merged back from debian.
      - mod-reqtimeout functionality: Merge back from debian.
      - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
      - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
      - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.

apache2 (2.2.15-5) unstable; urgency=low

  * Conflict with apache package as we now include apachectl. Closes: #579065
  * Remove conflicts with old apache 2.0 modules. The conflicts are not
    necessary anymore as skipping a stable release is not supported anyway.
  * Silence the grep in preinst.

apache2 (2.2.15-4) unstable; urgency=low

  * Move definition of other_vhosts_access.log to new config file
    /etc/apache2/conf.d/other-vhosts-access-log, but disable it
    if it has been disabled by the admin. Closes: #576572. LP: #507616
  * Comment out the contents of mods-available/proxy.conf, as it just
    is a nuisance for use of apache2 as a reverse proxy, which is much
    more common than the use as forward proxy. Extend the comments
    in the file.
  * Change defaults or add example configs for some modules:
    status.conf:
      - enable ExtendedStatus by default
      - enable ProxyStatus by default
      - document SeeRequestTail directive
    proxy_ftp.conf:
      - set 'ProxyFtpDirCharset UTF-8' by default
    ldap.conf:
      - enable /ldap-status page, allow it from localhost by default
    proxy_balancer.conf:
      - add (disabled) example for /balancer-manager page
    ssl.conf:
      - document SSLStrictSNIVHostCheck directive
  * Add symlink from apachectl to apache2ctl to be more compatible with
    upstream. Apache httpd 1.3 hasn't been in Debian for some time.
  * Simplify logrotate script. Closes: #576105
  * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages.
    Closes: #576089
  * Fix apxs2 to work with perl 5.12rc3. Closes: #577239
  * Add source/format file to make lintian happy.

apache2 (2.2.15-3) unstable; urgency=low

  * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
    including a fix for mod_proxy CONNECT requests.
  * mod_dav_fs: Use correct permissions when creating new files. LP: #540747

apache2 (2.2.15-2) unstable; urgency=low

  * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
    Satisfy all. Closes: #572075
  * mod_reqtimeout: Various bug fixes, including:
    - Don't mess up timeouts of mod_proxy's backend connections.
      Closes: #573163

apache2 (2.2.15-1) unstable; urgency=low

  * New upstream ...

Read more...

Changed in apache2 (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.