Re: Logging of subrequest authorization checks in mod_dav_svn/mod_authz_svn

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sun, 18 Jan 2015 03:48:28 +0000

Ben Reser wrote on Fri, Jan 16, 2015 at 14:09:45 -0800:
> On 1/16/15 11:52 AM, C. Michael Pilato wrote:
> > As for log levels, is there any reason to log the implicit read attempts
> > at a level higher than "debug"? I have no opinion about the log level
> > for the explicit ones.
>
> I can see some people possibly wanting this information for auditing purposes.
> There may be organizations that have to prove their access rules work and it
> can such logging could be useful for that. But I agree that it should be
> limited to elevated logging levels.

It would be nice if the the logged message should be different in that
case, too. That is: there should be some indication, besides the
different log level, that the subrequest-generated log event is
"normal".

That is, we don't want this:

[debug] Access denied: /private
[error] Access denied: /private

But this:

[debug] Hiding directory '/private' (Access denied)
[error] Access denied: /private

(Or some other log level instead of "debug" — I haven't thought about
what log level would be appropriate.)

Daniel
Received on 2015-01-18 04:48:58 CET

This message: [ Message body ]
Next message: Stefan Fuhrmann: "Re: svn commit: r1652076 - /subversion/trunk/subversion/libsvn_fs_fs/index.c"
Previous message: Daniel Shahaf: "Re: Subversion authentication security issue (svnserve, MITM)"
In reply to: Ben Reser: "Re: Logging of subrequest authorization checks in mod_dav_svn/mod_authz_svn"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]