httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry McFarlane <LMcFarl...@tconl.com>
Subject [users@httpd] Apache Security
Date Sat, 25 Oct 2003 14:28:10 GMT
Hello,

Will someone let me know if I'm on the ball here.  I've just reviewed our 
production system and don't like what I see.

Apache starts up as root, creates the pid, and switches to the dodo user 
that you specify in the httpd.conf file.

An Admin should make sure that all of Apache's files (including your 
document root) is owned and grouped by root.

The attributes of the files in document root should have ReadWrite, Read, 
Read attributes.  CGI is out of the picture here and isn't relevant.

The reason for this is in case Apache is exploited, Apache won't be able 
to go on a rampage because the file system is protected by root.
Apache, now operating as the dodo user will in theory, be denied.

The only reason why I feel you should assign different users/groups to 
Apache's directory tree is when the server is a development/staging
server.  You wouuld probably want to do this if you want your developers 
access to specific directories/files and not overwrite someone else's
work.  When migrating to production, only a root user should be able to 
migrate the changes to ensure that all files maintain root permissions.

Any input would be greatly appreciated!


-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message