Received: by taz.hyperreal.com (8.8.4/V2.0) id PAA09090; Sun, 16 Mar 1997 15:34:06 -0800 (PST) Received: by taz.hyperreal.com (8.8.4/V2.0) id PAA09083; Sun, 16 Mar 1997 15:34:04 -0800 (PST) Date: Sun, 16 Mar 1997 15:34:04 -0800 (PST) From: Dean Gaudet Message-Id: <199703162334.PAA09083@taz.hyperreal.com> To: apache-cvs@hyperreal.com Subject: cvs commit: apache/htdocs/manual/mod core.html mod_userdir.html Sender: apache-cvs-owner@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com dgaudet 97/03/16 15:34:03 Modified: htdocs/manual/misc security_tips.html htdocs/manual/mod core.html mod_userdir.html Log: Add security notes about protecting /, and avoiding "UserDir ./". Submitted by: Ken Coar Revision Changes Path 1.6 +73 -4 apache/htdocs/manual/misc/security_tips.html Index: security_tips.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/misc/security_tips.html,v retrieving revision 1.5 retrieving revision 1.6 diff -C3 -r1.5 -r1.6 *** security_tips.html 1997/02/03 01:40:50 1.5 --- security_tips.html 1997/03/16 23:34:01 1.6 *************** *** 1,17 **** ! Apache HTTP Server Documentation !

Security tips for server configuration

Some hints and tips on security issues in setting up a web server. Some of ! the suggestions will be general, other, specific to Apache

--- 1,17 ---- ! Apache HTTP Server: Security Tips !

Security Tips for Server Configuration

Some hints and tips on security issues in setting up a web server. Some of ! the suggestions will be general, others specific to Apache.

*************** *** 21,27 **** User directive. Anyone who has write permission for the directory where any log files are being written to can append pseudo-arbitrary data to any file on the ! system which is writable to the user who starts Apache. Since the server is normally started by root, you should NOT give anyone write permission to the directory where logs are stored unless you want them to have root access. --- 21,27 ---- User directive. Anyone who has write permission for the directory where any log files are being written to can append pseudo-arbitrary data to any file on the ! system which is writable by the user who starts Apache. Since the server is normally started by root, you should NOT give anyone write permission to the directory where logs are stored unless you want them to have root access. *************** *** 95,100 **** --- 95,169 ---- This stops all overrides, Includes and accesses in all directories apart from those named.

+ Protect server files by default +

+ One aspect of Apache which is occasionally misunderstood is the feature + of default access. That is, unless you take steps to change it, if the + server can find its way to a file through normal URL mapping rules, it + can serve it to clients. +

+ For instance, consider the following example: +

# cd /; ln -s / public_html +
Accessing http://localhost/~root/ +

+ This would allow clients to walk through the entire filesystem. To work + around this, add the following block to your server's configuration: +

  +  <Directory />
  +      Order deny,allow
  +      Deny from all
  +  </Directory>
  +

+ This will forbid default access to filesystem locations. Add + appropriate + <Directory> + blocks to allow access only + in those areas you wish. For example, +

  +  <Directory /usr/users/*/public_html>
  +      Order deny,allow
  +      Allow from all
  +  </Directory>
  +  <Directory /usr/local/httpd>
  +      Order deny,allow
  +      Allow from all
  +  </Directory>
  +

+ Pay particular attention to the interactions of + <Location> + and + <Directory> + directives; for instance, even if <Directory /> + denies access, a <Location /> directive might + overturn it. +

+ Also be wary of playing games with the + UserDir + directive; setting it to something like "./" + would have the same effect, for root, as the first example above. +

Please send any other useful security tips to 1.39 +24 -0 apache/htdocs/manual/mod/core.html Index: core.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v retrieving revision 1.38 retrieving revision 1.39 diff -C3 -r1.38 -r1.39 *** core.html 1997/02/23 00:42:33 1.38 --- core.html 1997/03/16 23:34:02 1.39 *************** *** 315,320 **** --- 315,344 ----

Apply any FileInfo directives in /home/web/.htaccess +

+ + Note that the default Apache access for <Directory /> is + Allow from All. This means that Apache will serve any file + mapped from an URL. It is recommended that you change this with a block + such as + +

  +  <Directory />
  +      Order Deny,Allow
  +      Deny from All
  +  </Directory>
  +

+ + and then override this for directories you want accessible. + See the + Security Tips + page for more details. + +

+ The directory sections typically occur in the access.conf file, but they may appear in any configuration file. <Directory> directives cannot nest, and cannot appear in a <Limit> section. 1.5 +17 -0 apache/htdocs/manual/mod/mod_userdir.html Index: mod_userdir.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_userdir.html,v retrieving revision 1.4 retrieving revision 1.5 diff -C3 -r1.4 -r1.5 *** mod_userdir.html 1997/02/25 03:57:48 1.4 --- mod_userdir.html 1997/03/16 23:34:02 1.5 *************** *** 46,51 **** --- 46,68 ---- UserDir http://www.foo.com/~*/ -> http://www.foo.com/~bob/one/two.html +

+ + Be careful when using this directive; for instance, "UserDir + ./" would map "/~root" to + "/" - which is probably undesirable. See also + the + <Directory> + directive and the + Security Tips + page for more information. + +