Setting Permissions in Apache - Options directive
(Page 2 of 4 )
This sort of protection will not help with incorrectly or maliciously placed symbolic links that point outside the /var/www/htdocs web server root. System users could create symbolic links to resources they do not own. If someone creates such a link and the web server can read the resource, it will accept a request to serve the resource to the public. Symbolic link usage and other file access restrictions are controlled with the Options directive (inside a <Directory> directive). The Optionsdirective can have one or more of the following values:
All
All options listed below exceptMultiViews. This is the default setting.
None
None of the options will be enabled.
ExecCGI
Allows execution of CGI scripts.
FollowSymLinks
Allows symbolic links to be followed.
Includes
Allows server-side includes.
IncludesNOEXEC
Allows SSIs but not theexeccommand, which is used
to execute external scripts. (This setting does not
affect CGI script execution.)
Indexes
Allows the server to generate the list of files in a
directory when a default index file is absent.
MultiViews
Allows content negotiation.
SymLinksIfOwnerMatch
Allows symbolic links to be followed if the owner of
the link is the same as the owner of the file it points
to.
The following configuration directive will disable symbolic link usage in Apache:
Options -FollowSymLinks
The minus sign before the option name instructs Apache to keep the existing configuration and disable the listed option. The plus character is used to add an option to an existing configuration.
The Apache syntax for adding and removing options can be confusing. If all option names in a givenOptionsstatement for a particular directory are preceded with a plus or minus character, then the new configuration will be merged with the existing configuration, with the new configuration overriding the old values. In all other cases, the old values will be ignored, and only the new values will be used.
If you need symbolic links consider using theAlias directive, which tells Apache to incorporate an external folder into the web server tree. It serves the same purpose but is more secure. For example, it is used in the default configuration to allow access to the Apache manual:
Alias /manual/ /usr/local/apache/manual/
If you want to keep symbolic links, it is advisable to turn ownership verification on by setting theSymLinksIfOwnerMatchoption. After this change, Apache will follow symbolic links if the target and the destination belong to the same user:
Options -FollowSymLinks +SymLinksIfOwnerMatch
Other features you do not want to allow include the ability to have scripts and server-side includes executed anywhere in the web server tree. Scripts should always be placed in special folders, where they can be monitored and controlled.
Options -Includes -ExecCGI
If you do not intend to use content negotiation (to have Apache choose a file to serve based on the client’s language preference), you can (and should) turn all of these features off in one go:
Options None
Modules sometimes use the settings determined with theOptions directive to allow or deny access to their features. For example, to be able to use mod_rewrite in per-directory configuration files, theFollowSymLinks option must be turned on.
Next: AllowOverride directive >>
More Apache Articles
More By O'Reilly Media
|
This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Check it out today at your favorite bookstore. Buy this book now.
|
|