httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security
Date Sat, 21 Sep 2002 20:59:14 GMT
On Sat, 21 Sep 2002, Rich Bowen wrote:

> On Sat, 21 Sep 2002, Rich Bowen wrote:
>
> > I'm going to write up some of our observations over the next few days as
> > I have time, and was hoping to stir up a little interest so that when I
> > have something, some folks will be willing to take a look at it.
>
> OK, please forgive the format. This is a "perlpoint" presentation that I
> put together for the class that I was teaching, and modified based on
> our findings.
>
> One thing that I'd like to ask about is the deal with mod_mime. If I
> have a web site consisting *only* of DefaultType documents (say, if I
> set DefaultType to text/html), then why can't I run Apache without
> mod_mime?
>
> When I tried (ie, ran Apache with only mod_dir and mod_log_config) and
> went to http://server/ I would get a 404 page, and the error log would
> say "file /usr/local/apache/htdocs/ not found"
>
> Anyways, here's our findings. Comments welcome. I'd like to incorporate
> these into the security doc, which is a little elderly and somewhat
> sparse in these particular areas.

Crap. Forgot to attach it. Bah.


=Apache security

* Remove modules you're not using

* Set file permissions right

=Modules you're not using

* What is the minimal list of modules you can get away with?

* Why do you need them?

=Module list

* The minimal module list appears to be:

    mod_dir
    mod_mime
    mod_log_config (optional, but recommended)

=mod_dir

* Provides DirectoryIndex directive

* People will want to look at http://servername/ and get something useful

=mod_mime

* Necessary if you are serving any files other than DefaultType ones

* For some reason, even DefaultType won't work without mod_mime

=mod_log_config

* You could get away with not running it

* Log files are a good thing if you are going for security

=File permissions

* Recommended file permissions in the docs are crap

* Can get much tighter than that

* Docs should list the I<minimum>, and let you go from there

* Note that directories have to have x in order to cd into them

* It is assumed that C<User> is set to C<www> and that C<Group> is set to
C<www>

=ServerRoot

* ServerRoot itself should be root.www

* Should be read and execute for root and www

    cd /usr/local/apache
    chown root.www .
    chmod 550 .

=bin

* The C<bin> directory itself should be C<root.root> and 500

* Files should be 100, except for the script files, which should be 500

* C<suexec> is suid, so should be 4100

    chown root.root bin
    chmod 500 bin
    cd bin
    chmod 100 *
    chmod 500 apachectl dbmmanage apxs
    chmod 4100 suexec

=conf

* conf/ is only ever read by root

* Directory should be root.root

* Directory should be 500

* and files should be 400

    chown -R root.root conf
    chmod 500 conf
    cd conf
    chmod 400 *

* Note that if you have subdirectories, they should have similar permissions

=cgi-bin and htdocs

* This also applies to other "content" directories

* Two scenarios we consider

* 1) A single content provider

* 2) 2 or more content providers

* Here, "provider" means the person that is producing and maintaining the content

* Other content directories, like C<icons>, should be treated similarly

=Content with one provider

* A single user creates and maintains content. Assume this user has a username C<content>

* Directory (htdocs or cgi-bin, for example) should be owned by C<content.www>

* The directory, and any subdirectories, should be 750

* The files should all be 640

    chown -R content.www htdocs
    chmod 750 htdocs
    cd htdocs
    chmod 640 *

* Repeat for subdirectories as needed

=Content with more than one provider

* More than one user provides content

* Create a group called C<content> and put all these users in that group

* Directory should be owned by C<root.content>

* Directory, and any subdirectories, should be 574

* Files should be 664

    chown -R root.content htdocs
    chmod 574 htdocs
    cd htdocs
    chmod 664 *

* Repeat for subdirectories as needed

=Multiple providers, cont'd

* Note that new files created may not have the right permissions on them

* May need to correct this with a periodic cron'ed chown/chmod.

* Is there an argument to chmod to make new files have the right attributes?

=include

* Owned by root.root

* Readable only by root

    chown -R root.root include
    chmod 500 include
    cd include
    chmod 400 *

=libexec

* Only needed if you have modules built as shared objects

* If you do, then it should be readable only by root

    chown -R root.root libexec
    chmod 500 libexec
    cd libexec
    chmod 400 *

=logs

* Logs directory has some caveats

* Standard log files are written as root (C<access_log> and C<error_log>)

* Some other modules log as C<www.root>

* So, here's the recommendation:

    chown root.www logs
    chmod 770 logs

* Log files are created at startup, so there's no need to modify permissions inside the directory,
as permissions will change next time you restart.

* Can modify C<mod_log_config.c> to create file without C<group> and C<other>
readability if desired.

    - static mode_t xfer_mode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
    + static mode_t xfer_mode = (S_IRUSR | S_IWUSR);

-- 
Rich Bowen - rbowen@rcbowen.com
Author - Apache Administrator's Guide
http://www.ApacheAdmin.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message