Home arrow Apache arrow Page 2 - Setting Permissions in Apache

Options directive - Apache

In this third part of a six-part series on Apache installation and configuration, you will learn how to set security-related permissions. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Setting Permissions in Apache
  2. Options directive
  3. AllowOverride directive
  4. Enabling CGI Scripts
By: O'Reilly Media
Rating: starstarstarstarstar / 5
January 10, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

This sort of protection will not help with incorrectly or maliciously placed symbolic links that point outside the /var/www/htdocs web server root. System users could create symbolic links to resources they do not own. If someone creates such a link and the web server can read the resource, it will accept a request to serve the resource to the public. Symbolic link usage and other file access restrictions are controlled with the Options directive (inside a <Directory> directive). The Optionsdirective can have one or more of the following values:

All
  
All options listed below exceptMultiViews. This is the default setting.

None
  
None of the options will be enabled.

ExecCGI
  
Allows execution of CGI scripts.

FollowSymLinks
  
Allows symbolic links to be followed.

Includes
  
Allows server-side includes.

IncludesNOEXEC
   Allows SSIs but not theexeccommand, which is used
   to execute external scripts. (This setting does not
   affect CGI script execution.)

Indexes
  
Allows the server to generate the list of files in a
      directory when a default index file is absent.

MultiViews
  
Allows content negotiation.

SymLinksIfOwnerMatch
   Allows symbolic links to be followed if the owner of
   the link is the same as the owner of the file it points
   to.

The following configuration directive will disable symbolic link usage in Apache:

  Options -FollowSymLinks

The minus sign before the option name instructs Apache to keep the existing configuration and disable the listed option. The plus character is used to add an option to an existing configuration.

The Apache syntax for adding and removing options can be confusing. If all option names in a givenOptionsstatement for a particular directory are preceded with a plus or minus character, then the new configuration will be merged with the existing configuration, with the new configuration overriding the old values. In all other cases, the old values will be ignored, and only the new values will be used.

If you need symbolic links consider using theAlias directive, which tells Apache to incorporate an external folder into the web server tree. It serves the same purpose but is more secure. For example, it is used in the default configuration to allow access to the Apache manual:

  Alias /manual/ /usr/local/apache/manual/

If you want to keep symbolic links, it is advisable to turn ownership verification on by setting theSymLinksIfOwnerMatchoption. After this change, Apache will follow symbolic links if the target and the destination belong to the same user:

  Options -FollowSymLinks +SymLinksIfOwnerMatch

Other features you do not want to allow include the ability to have scripts and server-side includes executed anywhere in the web server tree. Scripts should always be placed in special folders, where they can be monitored and controlled.

  Options -Includes -ExecCGI

If you do not intend to use content negotiation (to have Apache choose a file to serve based on the client’s language preference), you can (and should) turn all of these features off in one go:

  Options None

Modules sometimes use the settings determined with theOptions directive to allow or deny access to their features. For example, to be able to use mod_rewrite in per-directory configuration files, theFollowSymLinks option must be turned on.



 
 
>>> More Apache Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: