#2142: Make log files on Downloads not public
---------------------------+-------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+-------------------
User reported on SAC mailing list that awstats logs are publicly available
on http://download.osgeo.org/logs
We should at least restrict to OSGeo login, if not hide from the web
entirely for user privacy.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Changes (by fgdrf):
* priority: normal => major
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by martin):
I suspect that any method of making logs available in a "convenient" (TM)
manner will be subject to laziness .... pardon, abuse. Thus, how about
removing awstats and webalizer entirely ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by strk):
How about restricting access to LDAP users?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by neteler):
Replying to [comment:3 strk]:
> How about restricting access to LDAP users?
Sounds very good to me. And the EU GDPR will be in place in a few days...
BTW: This is how FSFE handles that:
https://wiki.fsfe.org/TechDocs/DataProcessingTransparency
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by martin):
Replying to [comment:3 strk]:
> How about restricting access to LDAP users?
Do you think that'll suffice ? In fact this would mean that thousands of
dummy accounts we have in LDAP would still have access to the relevant
logs.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by jef):
The logfiles are outdated - who/what is using these logfiles?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by neteler):
Replying to [comment:6 jef]:
> The logfiles are outdated - who/what is using these logfiles?
They are not outdated. Just sort by "Last modified" column:
{{{
Index of /logs
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
awstats022018.download.osgeo.org.tmp.5858 20-May-2018 10:43
98M
awstats022018.download.osgeo.org.tmp.5851 20-May-2018 10:43
98M
awstats022018.download.osgeo.org.tmp.5945 20-May-2018 10:43
98M
dnscachelastupdate.download.osgeo.org.hash 16-Feb-2018 06:31
20K
[TXT] awstats022018.download.osgeo.org.txt 16-Feb-2018 06:31
97M
...
}}}
download:~$ cat /etc/awstats/awstats.download.osgeo.org.conf
Used by http://download.osgeo.org/stats/
which is
* not password protected either 
* not https
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:7>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by jef):
It was outdated - processing stopped on Feb 16th, because access to
download access.log was changed and awstats wasn't able to access it
anymore. The rotation of the logs also stopped back then.
/var/log/apache2/download_access_log.1 is from Feb 11 and current
download_access_log is 16GB big - awstats.pl is still processing it...
AFAIK the logs in question don't need to be public anyway - awstats.pl
will use them internally to produce the page.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:8>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by jef):
/stats/ is now password protected (username/password added to access.txt
on secure)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:9>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2142: Make log files on Downloads not public
---------------------------+--------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by jef):
BTW {{DirData="/var/lib/awstats"}} is the default - not sure why that was
changed to a public location.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2142#comment:10>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.