Return-Path: 
 <docs-return-4017-apmail-httpd-docs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-docs-archive@httpd.apache.org
Received: (qmail 80607 invoked by uid 500); 21 Sep 2002 21:21:04 -0000
Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:docs-help@httpd.apache.org>
list-unsubscribe: <mailto:docs-unsubscribe@httpd.apache.org>
list-post: <mailto:docs@httpd.apache.org>
Reply-To: docs@httpd.apache.org
Delivered-To: mailing list docs@httpd.apache.org
Received: (qmail 80595 invoked from network); 21 Sep 2002 21:21:03 -0000
Date: Sat, 21 Sep 2002 17:20:59 -0400
From: "Philip M. Gollucci" <philip@p6m7g8.com>
Subject: Re: Security
To: docs@httpd.apache.org
Message-id: <3D8CE2BB.5090305@p6m7g8.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7BIT
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0)
 Gecko/20020530
References: <Pine.LNX.4.33.0209211658190.10894-100000@rhiannon.rcbowen.com>
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

* Note that new files created may not have the right permissions on them

* May need to correct this with a periodic cron'ed chown/chmod.

* Is there an argument to chmod to make new files have the right attributes?


What I think you would want is to change the default umask of the users 
in question
'umask 022' is pretty typical, so probably want something less public.


Rich Bowen wrote:

>On Sat, 21 Sep 2002, Rich Bowen wrote:
>
>  
>
>>On Sat, 21 Sep 2002, Rich Bowen wrote:
>>
>>    
>>
>>>I'm going to write up some of our observations over the next few days as
>>>I have time, and was hoping to stir up a little interest so that when I
>>>have something, some folks will be willing to take a look at it.
>>>      
>>>
>>OK, please forgive the format. This is a "perlpoint" presentation that I
>>put together for the class that I was teaching, and modified based on
>>our findings.
>>
>>One thing that I'd like to ask about is the deal with mod_mime. If I
>>have a web site consisting *only* of DefaultType documents (say, if I
>>set DefaultType to text/html), then why can't I run Apache without
>>mod_mime?
>>
>>When I tried (ie, ran Apache with only mod_dir and mod_log_config) and
>>went to http://server/ I would get a 404 page, and the error log would
>>say "file /usr/local/apache/htdocs/ not found"
>>
>>Anyways, here's our findings. Comments welcome. I'd like to incorporate
>>these into the security doc, which is a little elderly and somewhat
>>sparse in these particular areas.
>>    
>>
>
>Crap. Forgot to attach it. Bah.
>
>
>=Apache security
>
>* Remove modules you're not using
>
>* Set file permissions right
>
>=Modules you're not using
>
>* What is the minimal list of modules you can get away with?
>
>* Why do you need them?
>
>=Module list
>
>* The minimal module list appears to be:
>
>    mod_dir
>    mod_mime
>    mod_log_config (optional, but recommended)
>
>=mod_dir
>
>* Provides DirectoryIndex directive
>
>* People will want to look at http://servername/ and get something useful
>
>=mod_mime
>
>* Necessary if you are serving any files other than DefaultType ones
>
>* For some reason, even DefaultType won't work without mod_mime
>
>=mod_log_config
>
>* You could get away with not running it
>
>* Log files are a good thing if you are going for security
>
>=File permissions
>
>* Recommended file permissions in the docs are crap
>
>* Can get much tighter than that
>
>* Docs should list the I<minimum>, and let you go from there
>
>* Note that directories have to have x in order to cd into them
>
>* It is assumed that C<User> is set to C<www> and that C<Group> is set to C<www>
>
>=ServerRoot
>
>* ServerRoot itself should be root.www
>
>* Should be read and execute for root and www
>
>    cd /usr/local/apache
>    chown root.www .
>    chmod 550 .
>
>=bin
>
>* The C<bin> directory itself should be C<root.root> and 500
>
>* Files should be 100, except for the script files, which should be 500
>
>* C<suexec> is suid, so should be 4100
>
>    chown root.root bin
>    chmod 500 bin
>    cd bin
>    chmod 100 *
>    chmod 500 apachectl dbmmanage apxs
>    chmod 4100 suexec
>
>=conf
>
>* conf/ is only ever read by root
>
>* Directory should be root.root
>
>* Directory should be 500
>
>* and files should be 400
>
>    chown -R root.root conf
>    chmod 500 conf
>    cd conf
>    chmod 400 *
>
>* Note that if you have subdirectories, they should have similar permissions
>
>=cgi-bin and htdocs
>
>* This also applies to other "content" directories
>
>* Two scenarios we consider
>
>* 1) A single content provider
>
>* 2) 2 or more content providers
>
>* Here, "provider" means the person that is producing and maintaining the content
>
>* Other content directories, like C<icons>, should be treated similarly
>
>=Content with one provider
>
>* A single user creates and maintains content. Assume this user has a username C<content>
>
>* Directory (htdocs or cgi-bin, for example) should be owned by C<content.www>
>
>* The directory, and any subdirectories, should be 750
>
>* The files should all be 640
>
>    chown -R content.www htdocs
>    chmod 750 htdocs
>    cd htdocs
>    chmod 640 *
>
>* Repeat for subdirectories as needed
>
>=Content with more than one provider
>
>* More than one user provides content
>
>* Create a group called C<content> and put all these users in that group
>
>* Directory should be owned by C<root.content>
>
>* Directory, and any subdirectories, should be 574
>
>* Files should be 664
>
>    chown -R root.content htdocs
>    chmod 574 htdocs
>    cd htdocs
>    chmod 664 *
>
>* Repeat for subdirectories as needed
>
>=Multiple providers, cont'd
>
>* Note that new files created may not have the right permissions on them
>
>* May need to correct this with a periodic cron'ed chown/chmod.
>
>* Is there an argument to chmod to make new files have the right attributes?
>
>=include
>
>* Owned by root.root
>
>* Readable only by root
>
>    chown -R root.root include
>    chmod 500 include
>    cd include
>    chmod 400 *
>
>=libexec
>
>* Only needed if you have modules built as shared objects
>
>* If you do, then it should be readable only by root
>
>    chown -R root.root libexec
>    chmod 500 libexec
>    cd libexec
>    chmod 400 *
>
>=logs
>
>* Logs directory has some caveats
>
>* Standard log files are written as root (C<access_log> and C<error_log>)
>
>* Some other modules log as C<www.root>
>
>* So, here's the recommendation:
>
>    chown root.www logs
>    chmod 770 logs
>
>* Log files are created at startup, so there's no need to modify permissions inside the directory, as permissions will change next time you restart.
>
>* Can modify C<mod_log_config.c> to create file without C<group> and C<other> readability if desired.
>
>    - static mode_t xfer_mode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
>    + static mode_t xfer_mode = (S_IRUSR | S_IWUSR);
>
>  
>




---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org