Denial of Service flaw in Apache

["Tozz" <tozz () embrace selwerd nl>]

Hello,

Today I stumbled on a little issue in Apache. My webhosting company creates
log files for each seperate user/domain, so every user is able to download
his own access / error logs.

The problem occures when the log directory does not exists, when apache
receives a SIGHUP (e.g. logrotate)Apache will reload its config file and
shutdown immediatly.  So, if the log directory is removed by the owner of
the domain by accident or because he just wanted to clean up some logs :),
apache will just simply shutdown upon a SIGHUP.

Apache only seems to do this with log files, if a DocumentRoot does not
exist it will just start and display a 404. Same for a ScriptAlias or
anything else that uses a directory.

It's not really a bug, because you can just set the owner of the log
directory to UID root, but still I think it's weird that Apache only dies
with a log directory and not with any other directory..

Bye,
Tozz
Visit us: #h4h @ irc.rizenet.org