Home arrow Apache arrow Setting Permissions in Apache

Setting Permissions in Apache

In this third part of a six-part series on Apache installation and configuration, you will learn how to set security-related permissions. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Setting Permissions in Apache
  2. Options directive
  3. AllowOverride directive
  4. Enabling CGI Scripts
By: O'Reilly Media
Rating: starstarstarstarstar / 5
January 10, 2008

print this article



Setting Apache Binary File Permissions 

After creating the new user account your first impulse might be to assign ownership over the Apache installation to it. I see that often, but do not do it. For Apache to run on port 80, it must be started by the user root. Allowing any other account to have write access to the httpd binary would give that account privileges to execute anything as root.

This problem would occur, for example, if an attacker broke into the system. Working as the Apache user (httpd), he would be able to replace the httpd binary with something else and shut the web server down. The administrator, thinking the web server had crashed, would log in and attempt to start it again and would have fallen into the trap of executing a Trojan program.

That is why we make sure only root has write access:

  # chown -R root:root /usr/local/apache
  # find /usr/local/apache -type d | xargs chmod 755
  # find /usr/local/apache -type f | xargs chmod 644

No reason exists why anyone else other than the root user should be able to read the Apache configuration or the logs:

  # chmod -R go-r   /usr/local/apache/conf
  # chmod -R go-r  /usr/local/apache/logs

Configuring Secure Defaults

Unless told otherwise, Apache will serve any file it can access. This is probably not what most people want; a configuration error could accidentally expose vital system files to anyone caring to look. To change this, we would deny access to the complete filesystem and then allow access to the document root only by placing the following directives in the httpd.conf configuration file:

  <Directory />
      Order Deny,Allow
      Deny from all
  <Directory /var/www/htdocs>
      Order Allow,Deny
      Allow from all

>>> More Apache Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: