Secure Installation and Configuration - File Permissions (
Page 7 of 11 )
File Permissions
Make sure that Apache’s files and directories are only writable by root. These are the commands suggested by Apache’s web site:
# cd /usr/local/apache
# chown 0 . bin conf logs
# chgrp 0 . bin conf logs
# chmod 755 . bin conf logs
# chown 0 /usr/local/apache/bin/httpd
# chgrp 0 /usr/local/apache/bin/httpd
# chmod 511 /usr/local/apache/bin/httpd
Having the wrong permissions set could allow a malicious user to replace the httpd binary, and therefore execute a script as root.
Understand How Options Are Applied
Most directives can be defined in different sections of your httpd.conf file:
- <Directory> sections
- <Directory> sections
- <Files> and <FilesMatch> sections
- <Location> and <LocationMatch> sections
- <VirtualHost> sections
- .htaccess (if it is allowed)
Apache merges the directives found in these sections following this particular order. Also, each section is processed in the order that it appears in the configuration file, except <Directory>, where the shortest directories are processed first. Also, <Directory> refers to actual directories on the file system, <Location> whereas refers to a Web location.
The configuration files I proposed earlier in the chapter read:
<Directory />
Options -FollowSymLinks
AllowOverride None
</Directory>
The directive <Directory /> refers to the actual root directory of the server. Immediately after, you can see the following directive, which is processed after the previous one, as it refers to a longer path:
<Directory "/usr/local/apache2/htdocs">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
In this case, I set very restrictive permissions for the server’s root directory, and then I allowed looser security for the document root (/usr/local/apache2/ htdocs). I could have defined different options for a directory inside htdocs:
<Directory "/usr/local/apache2/htdocs">
Options +FollowSymLinks +AllowOverride
AllowOverride None
Order allow,deny
Allow from all
</Directory>
For the directory insecure, the options FollowSymLinks (which allows the following of symbolic links, and should be turned off ) and AllowOverride (which enables the .htaccess file mechanism, and should be disabled if possible) are added (thanks to the + symbol) to the inherited options.
You should be aware of how this mechanism works. The document http://httpd.apache.org/docs-2.0/sections.html explains exactly how Apache reads its configuration section, and http://httpd.apache.org/docs-2.0/mod/core.html#options explains what options can be set. A complete understanding of both these documents is vital to ensure the security of your Apache installation.
Don’t Expose Root’s Home Page
If you need to allow users’ directories (such as http://www.site.com/~username) with the directive Userdir, remember to have this line in your configuration:
UserDir disabled root
Delete Any Default Files
The CGI scripts printenv and test-cgi are installed by default. They have caused problems in the past, because standard Apache scripts that came with the server were inherently vulnerable, and a source of security breaches and problems. Now, when Apache is installed they are not executable. However, in a production environment they should be deleted:
[root@merc root]# cd /usr/local/apache2/
[root@merc apache2]# ls cgi-bin
printenv test-cgi
[root@merc apache2]# rm cgi-bin/*
rm: remove regular file `cgi-bin/printenv'? y
rm: remove regular file `cgi-bin/test-cgi'? y
[root@merc apache2]#
The same applies to the default web site, which should be deleted:
[root@merc root]# rm -rf /usr/local/apache2/htdocs/*
You should then place your own web site in the htdocs directory.
|
 This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.
|
/ 30 
