httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rbo...@apache.org
Subject cvs commit: httpd-2.0/docs/manual/misc security_tips.html.en security_tips.xml
Date Thu, 07 Nov 2002 03:03:33 GMT
rbowen      2002/11/06 19:03:33

  Modified:    docs/manual/misc security_tips.html.en security_tips.xml
  Log:
  As per discussion on users@httpd.apache.org and a little on IRC, clarify
  that "third party" modules can do basically whatever they want, and
  typically do it as the "User" uid, so Caveat Administrator
  
  Revision  Changes    Path
  1.6       +13 -1     httpd-2.0/docs/manual/misc/security_tips.html.en
  
  Index: security_tips.html.en
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.html.en,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- security_tips.html.en	10 Sep 2002 01:41:49 -0000	1.5
  +++ security_tips.html.en	7 Nov 2002 03:03:32 -0000	1.6
  @@ -7,7 +7,7 @@
         --><title>Security Tips - Apache HTTP Server</title><link href="../style/css/manual.css"
rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css"
rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size"
/><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css"
/><link href="../images/favicon.ico" rel="shortcut icon" /></head><body
id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a>
| <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a>
| <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p
class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif"
/></div><div class="up"><a href="./"><img title="&lt;-" alt="&lt;-"
src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a>
&gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs-project/">Documentation</a>
&gt; <a href="../">Version 2.0</a></div><div id="page-content"><div
id="preamble"><h1>Security Tips</h1>
       <p>Some hints and tips on security issues in setting up a web server. 
       Some of the suggestions will be general, others specific to Apache.</p>
  -  </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif"
/> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files
by Default</a></li><li><img alt="" src="../images/down.gif" /> <a
href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div
class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div
class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot
Directories</a></h2>
  +  </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif"
/> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img
alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files
by Default</a></li><li><img alt="" src="../images/down.gif" /> <a
href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div
class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div
class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot
Directories</a></h2>
     
       
       
  @@ -139,6 +139,18 @@
       <p>Most sites choose this option over the non script aliased CGI 
       approach.</p>
       
  +  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div><div class="section"><h2><a name="dynamic" id="dynamic">Other
sources of dynamic content</a></h2>
  +
  +  
  +
  +  <p>
  +  Embedded scripting options which run as part of the server itself,
  +  such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
  +  identify of the server itself, (see the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code>
directive) and therefore
  +  scripts executed by these engines potentially can access anything the
  +  server user can. some scripting engines may provide restrictions, but
  +  it is better to be safe and assume not.</p>
  +
     </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div><div class="section"><h2><a name="systemsettings"
id="systemsettings">Protecting System Settings</a></h2>
     
       
  
  
  
  1.2       +16 -1     httpd-2.0/docs/manual/misc/security_tips.xml
  
  Index: security_tips.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- security_tips.xml	23 Aug 2002 21:02:16 -0000	1.1
  +++ security_tips.xml	7 Nov 2002 03:03:33 -0000	1.2
  @@ -124,7 +124,7 @@
       <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>.</p>
       
     </section>
  -  
  +
     <section id="nsaliasedcgi">
     
       <title>Non Script Aliased CGI</title>
  @@ -155,6 +155,21 @@
       <p>Most sites choose this option over the non script aliased CGI 
       approach.</p>
       
  +  </section>
  +
  +   <section id="dynamic">
  +
  +  <title>Other sources of dynamic content</title>
  +
  +  <p>
  +  Embedded scripting options which run as part of the server itself,
  +  such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
  +  identify of the server itself, (see the <directive 
  +  module="mpm_common">User</directive> directive) and therefore
  +  scripts executed by these engines potentially can access anything the
  +  server user can. some scripting engines may provide restrictions, but
  +  it is better to be safe and assume not.</p>
  +
     </section>
     
     <section id="systemsettings">
  
  
  

Mime
View raw message