Home arrow Apache arrow Page 7 - Secure Installation and Configuration

File Permissions - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Donít Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article



File Permissions

Make sure that Apacheís files and directories are only writable by root. These are the commands suggested by Apacheís web site:

# cd /usr/local/apache
# chown 0 . bin conf logs
# chgrp 0 . bin conf logs
# chmod 755 . bin conf logs
# chown 0 /usr/local/apache/bin/httpd
# chgrp 0 /usr/local/apache/bin/httpd
# chmod 511 /usr/local/apache/bin/httpd

Having the wrong permissions set could allow a malicious user to replace the httpd binary, and therefore execute a script as root.

Understand How Options Are Applied

Most directives can be defined in different sections of your httpd.conf file:

  1. <Directory> sections

  2. <Directory> sections

  3. <Files> and <FilesMatch> sections

  4. <Location> and <LocationMatch> sections

  5. <VirtualHost> sections
  6. .htaccess (if it is allowed)

Apache merges the directives found in these sections following this particular order. Also, each section is processed in the order that it appears in the configuration file, except <Directory>, where the shortest directories are processed first. Also, <Directory> refers to actual directories on the file system, <Location> whereas refers to a Web location.

The configuration files I proposed earlier in the chapter read:

<Directory />
 Options -FollowSymLinks
 AllowOverride None

The directive <Directory /> refers to the actual root directory of the server. Immediately after, you can see the following directive, which is processed after the previous one, as it refers to a longer path:

<Directory "/usr/local/apache2/htdocs">
   AllowOverride None
   Order allow,deny
   Allow from all

In this case, I set very restrictive permissions for the serverís root directory, and then I allowed looser security for the document root (/usr/local/apache2/ htdocs). I could have defined different options for a directory inside htdocs:

<Directory "/usr/local/apache2/htdocs">
Options +FollowSymLinks +AllowOverride
   AllowOverride None
   Order allow,deny
   Allow from all

For the directory insecure, the options FollowSymLinks (which allows the following of symbolic links, and should be turned off ) and AllowOverride (which enables the .htaccess file mechanism, and should be disabled if possible) are added (thanks to the + symbol) to the inherited options.

You should be aware of how this mechanism works. The document http://httpd.apache.org/docs-2.0/sections.html explains exactly how Apache reads its configuration section, and http://httpd.apache.org/docs-2.0/mod/core.html#options explains what options can be set. A complete understanding of both these documents is vital to ensure the security of your Apache installation.

Donít Expose Rootís Home Page

If you need to allow usersí directories (such as http://www.site.com/~username) with the directive Userdir, remember to have this line in your configuration:

UserDir disabled root

Delete Any Default Files

The CGI scripts printenv and test-cgi are installed by default. They have caused problems in the past, because standard Apache scripts that came with the server were inherently vulnerable, and a source of security breaches and problems. Now, when Apache is installed they are not executable. However, in a production environment they should be deleted:

[root@merc root]# cd /usr/local/apache2/
[root@merc apache2]#
ls cgi-bin
printenv test-cgi
[root@merc apache2]#
rm cgi-bin/*
rm: remove regular file `cgi-bin/printenv'?
rm: remove regular file `cgi-bin/test-cgi'?
[root@merc apache2]#

The same applies to the default web site, which should be deleted:

[root@merc root]# rm -rf /usr/local/apache2/htdocs/*

You should then place your own web site in the htdocs directory.

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.

>>> More Apache Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: