httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] security procedures question
Date Thu, 02 Dec 2004 14:26:07 GMT
On Thu, 2 Dec 2004 05:12:55 -0900, Andy Firman <> wrote:
> If you were to take on the responsibility of managing an
> existing Apache server, with not documentation, but full
> root access vis ssh, what kind of things would you do on the
> box to check for security problems in regards to Apache?
> The first thing I can think of is to do something like this:
> /root:# ls -Ral /wwwroot |grep rwxrwxrwx |less
> Now, if you do find any directories/files that are 777,
> is that a major security problem?

Not necessarily.  Some types of files used by cgi/php/etc scripts need
to be apache-writable.  And the difference between apache-writable and
world-writable is quite small on a machine dedicated to apache.

The major security problems you need to look at are:

1. Old version of apache with security holes -- needs to be upgraded.

2. Unpatched OS.

3. Dynamic pages: cgi, php, etc.

The first two are relatively easy.  Just check your version/patch
level and make sure you are up-to-date.

The last one requires carefully inspecting httpd.conf to see what sort
of dynamic content is allowed, and then carefully inspecting all the
dynamic content to make sure it is safe.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message