File Permissions - Apache

File Permissions

Make sure that Apache’s files and directories are only writable by root. These are the commands suggested by Apache’s web site:

# cd /usr/local/apache
# chown 0 . bin conf logs
# chgrp 0 . bin conf logs
# chmod 755 . bin conf logs
# chown 0 /usr/local/apache/bin/httpd
# chgrp 0 /usr/local/apache/bin/httpd
# chmod 511 /usr/local/apache/bin/httpd

Having the wrong permissions set could allow a malicious user to replace the httpd binary, and therefore execute a script as root.

Understand How Options Are Applied

Most directives can be defined in different sections of your httpd.conf file:

1. <Directory> sections

2. <Directory> sections

3. <Files> and <FilesMatch> sections

4. <Location> and <LocationMatch> sections

5. <VirtualHost> sections
   
6. .htaccess (if it is allowed)

Apache merges the directives found in these sections following this particular order. Also, each section is processed in the order that it appears in the configuration file, except <Directory>, where the shortest directories are processed first. Also, <Directory> refers to actual directories on the file system, <Location> whereas refers to a Web location.

The configuration files I proposed earlier in the chapter read:

<Directory />
 Options -FollowSymLinks
 AllowOverride None
</Directory>

The directive <Directory /> refers to the actual root directory of the server. Immediately after, you can see the following directive, which is processed after the previous one, as it refers to a longer path:

<Directory "/usr/local/apache2/htdocs">
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory>

In this case, I set very restrictive permissions for the server’s root directory, and then I allowed looser security for the document root (/usr/local/apache2/ htdocs). I could have defined different options for a directory inside htdocs:

<Directory "/usr/local/apache2/htdocs">
Options +FollowSymLinks +AllowOverride
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory> 

For the directory insecure, the options FollowSymLinks (which allows the following of symbolic links, and should be turned off ) and AllowOverride (which enables the .htaccess file mechanism, and should be disabled if possible) are added (thanks to the + symbol) to the inherited options.

You should be aware of how this mechanism works. The document http://httpd.apache.org/docs-2.0/sections.html explains exactly how Apache reads its configuration section, and http://httpd.apache.org/docs-2.0/mod/core.html#options explains what options can be set. A complete understanding of both these documents is vital to ensure the security of your Apache installation.

Don’t Expose Root’s Home Page

If you need to allow users’ directories (such as http://www.site.com/~username) with the directive Userdir, remember to have this line in your configuration:

UserDir disabled root

Delete Any Default Files

The CGI scripts printenv and test-cgi are installed by default. They have caused problems in the past, because standard Apache scripts that came with the server were inherently vulnerable, and a source of security breaches and problems. Now, when Apache is installed they are not executable. However, in a production environment they should be deleted:

The same applies to the default web site, which should be deleted:

You should then place your own web site in the htdocs directory.