httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@decus.org (Rodent of Unusual Size)
Subject [PATCH] for security documentation
Date Sun, 16 Mar 1997 04:15:11 GMT
>From the fingers of Dean Gaudet flowed the following:
>
>> >No patches yet:
>> >  
>> >  * With no limits on <Directory />, a UserDir of "./" allows "~root/"
>> >    to walk down the entire filesystem.
>> >    (no PR#, 1.1.3, 21/2/1997, "Michael Douglass" <mikedoug@texas.net>)
>> >      - "don't do that", but should probably be noted in the UserDir
>> >	documentation and the Security Tips page.  That the default
>> >	access is "if the server can reach it, it can serve it" should
>> >	definitely be noted.  (<Directory> description and security
>> >	tips?)
>> >      - perhaps a future DisallowUserDir directive, a la ftp.deny,
>> >	listing usernames not accessible through ~name?
>> 
>>     I'll try to come up with a doc patch as per the first section.  The
>>     second is definitely a feature, what?
>
>Moving the second part to the feature section.

    Okey, here's a doc patch for the first part.  The modified files can
    be seen at <http://test.remulak.decus.org:9000/~htdocs/manual/> if
    you'd rather see the effect than the patch.

    #ken    :-)}

Index: security_tips.html
===================================================================
RCS file: /usr/users/coar/myApache/repository/apache/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.5
diff -c -r1.5 security_tips.html
*** 1.5	1997/02/03 01:40:50
--- security_tips.html	1997/03/16 04:24:45
***************
*** 1,17 ****
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML>
  <HEAD>
! <TITLE>Apache HTTP Server Documentation</TITLE>
  </HEAD>
  
  <BODY>
  <!--#include virtual="header.html" -->
! <H1>Security tips for server configuration</H1>
  
  <hr>
  
  <P>Some hints and tips on security issues in setting up a web server. Some of
! the suggestions will be general, other, specific to Apache
  
  <HR>
  
--- 1,17 ----
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML>
  <HEAD>
! <TITLE>Apache HTTP Server: Security Tips</TITLE>
  </HEAD>
  
  <BODY>
  <!--#include virtual="header.html" -->
! <H1>Security Tips for Server Configuration</H1>
  
  <hr>
  
  <P>Some hints and tips on security issues in setting up a web server. Some of
! the suggestions will be general, others specific to Apache.
  
  <HR>
  
***************
*** 21,27 ****
  <a href="../mod/core.html#user"><b>User</b></a> directive.  Anyone
who
  has write permission for the directory where any log files are
  being written to can append pseudo-arbitrary data to any file on the
! system which is writable to the user who starts Apache.  Since the
  server is normally started by root, you should <EM>NOT</EM> give anyone
  write permission to the directory where logs are stored unless you
  want them to have root access. 
--- 21,27 ----
  <a href="../mod/core.html#user"><b>User</b></a> directive.  Anyone
who
  has write permission for the directory where any log files are
  being written to can append pseudo-arbitrary data to any file on the
! system which is writable by the user who starts Apache.  Since the
  server is normally started by root, you should <EM>NOT</EM> give anyone
  write permission to the directory where logs are stored unless you
  want them to have root access. 
***************
*** 95,100 ****
--- 95,169 ----
  
  This stops all overrides, Includes and accesses in all directories apart
  from those named.<p>
+ <HR>
+ <H2>
+  Protect server files by default
+ </H2>
+ <P>
+ One aspect of Apache which is occasionally misunderstood is the feature
+ of default access.  That is, unless you take steps to change it, if the
+ server can find its way to a file through normal URL mapping rules, it
+ can serve it to clients.
+ </P>
+ <P>
+ For instance, consider the following example:
+ </P>
+ <OL>
+  <LI><SAMP># cd /; ln -s / public_html</SAMP>
+  </LI>
+  <LI>Accessing <SAMP>http://localhost/~root/</SAMP>
+  </LI>
+ </OL>
+ <P>
+ This would allow clients to walk through the entire filesystem.  To work
+ around this, add the following block to your server's configuration:
+ </P>
+ <PRE>
+  &lt;Directory /&gt;
+      Order deny,allow
+      Deny from all
+  &lt;/Directory&gt;
+ </PRE>
+ <P>
+ This will forbid default access to filesystem locations.  Add
+ appropriate
+ <A
+  HREF="../mod/core.html#directory"
+ ><SAMP>&lt;Directory&gt;</SAMP></A>
+ blocks to allow access only
+ in those areas you wish.  For example,
+ </P>
+ <PRE>
+  &lt;Directory /usr/users/*/public_html&gt;
+      Order deny,allow
+      Allow from all
+  &lt;/Directory&gt;
+  &lt;Directory /usr/local/httpd&gt;
+      Order deny,allow
+      Allow from all
+  &lt;/Directory&gt;
+ </PRE>
+ <P>
+ Pay particular attention to the interactions of
+ <A
+  HREF="../mod/core.html#location"
+ ><SAMP>&lt;Location&gt;</SAMP></A>
+ and
+ <A
+  HREF="../mod/core.html#directory"
+ ><SAMP>&lt;Directory&gt;</SAMP></A>
+ directives; for instance, even if <SAMP>&lt;Directory /&gt;</SAMP>
+ denies access, a <SAMP>&lt;Location /&gt;</SAMP> directive might
+ overturn it.
+ </P>
+ <P>
+ Also be wary of playing games with the
+ <A
+  HREF="../mod/mod_userdir.html#userdir"
+ >UserDir</A>
+ directive; setting it to something like <SAMP>&quot;./&quot;</SAMP>
+ would have the same effect, for root, as the first example above.
+ </P>
  
  <HR>
  <P>Please send any other useful security tips to

Index: core.html
===================================================================
RCS file: /usr/users/coar/myApache/repository/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.38
diff -c -r1.38 core.html
*** 1.38	1997/02/23 00:42:33
--- core.html	1997/03/16 04:33:26
***************
*** 315,320 ****
--- 315,344 ----
  <li>Apply any FileInfo directives in <code>/home/web/.htaccess</code>
  </menu>
  
+ <P>
+ <STRONG>
+ Note that the default Apache access for &lt;Directory /&gt; is
+ <SAMP>Allow from All</SAMP>.  This means that Apache will serve any file
+ mapped from an URL.  It is recommended that you change this with a block
+ such as
+ </STRONG>
+ <PRE>
+  &lt;Directory /&gt;
+      Order Deny,Allow
+      Deny from All
+  &lt;/Directory&gt;
+ </PRE>
+ <P>
+ <STRONG>
+ and then override this for directories you <EM>want</EM> accessible.
+ See the
+ <A
+  HREF="../misc/security_tips.html"
+ >Security Tips</A>
+ page for more details.
+ </STRONG>
+ </P>
+ 
  The directory sections typically occur in the access.conf file, but they
  may appear in any configuration file. &lt;Directory&gt; directives cannot
  nest, and cannot appear in a <A HREF="#limit">&lt;Limit&gt;</A> section.

Index: mod_userdir.html
===================================================================
RCS file: /usr/users/coar/myApache/repository/apache/htdocs/manual/mod/mod_userdir.html,v
retrieving revision 1.4
diff -c -r1.4 mod_userdir.html
*** 1.4	1997/02/25 03:57:48
--- mod_userdir.html	1997/03/16 04:40:17
***************
*** 46,51 ****
--- 46,68 ----
  UserDir http://www.foo.com/~*/     -> http://www.foo.com/~bob/one/two.html
  </pre>
  
+ <P>
+ <STRONG>
+ Be careful when using this directive; for instance, <SAMP>&quot;UserDir
+ ./&quot;</SAMP> would map <SAMP>&quot;/~root&quot;</SAMP>
to
+ <SAMP>&quot;/&quot;</SAMP> - which is probably undesirable.  See also
+ the
+ <A
+  HREF="core.html#directory"
+ >&lt;Directory&gt;</A>
+ directive and the
+ <A
+  HREF="../misc/security_tips.html"
+ >Security Tips</A>
+ page for more information.
+ </STRONG>
+ </P>
+ 
  <!--#include virtual="footer.html" -->
  </BODY>
  </HTML>

Mime
View raw message