security_tips.html revision db81e057b060e365d840d9a1d35a5797192efa81
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<TITLE>Apache HTTP Server: Security Tips</TITLE>
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews BGCOLOR="#FFFFFF"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews TEXT="#000000"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews LINK="#0000FF"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews VLINK="#000080"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews ALINK="#FF0000"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!--#include virtual="header.html" -->
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<H1 ALIGN="CENTER">Security Tips for Server Configuration</H1>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<P>Some hints and tips on security issues in setting up a web server. Some of
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencethe suggestions will be general, others specific to Apache.
6c6894f0a0b7ae9683b2f279952a13920d22feb4Andreas Gustafsson<P>When Apache starts, it opens the log files as the user who started the
a252c2771f59409d38b12d076513aeef89c3aeb1David Lawrenceserver before switching to the user defined in the
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<a href="/mod/core.html#user"><b>User</b></a> directive. Anyone who
e7220c9b841bbd3d16736726f786a86fec3c0e18Evan Hunthas write permission for the directory where any log files are
90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellingtonbeing written to can append pseudo-arbitrary data to any file on the
90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellingtonsystem which is writable by the user who starts Apache. Since the
a3a11c4f3fc9ba972802b811c4d95a9884d6ff4aMichael Sawyerserver is normally started by root, you should <EM>NOT</EM> give anyone
a3a11c4f3fc9ba972802b811c4d95a9884d6ff4aMichael Sawyerwrite permission to the directory where logs are stored unless you
351b62535d4c4f89883bfdba025999dd32490266Evan Huntwant them to have root access.
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<P>Server side includes (SSI) can be configured so that users can execute
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleyarbitrary programs on the server. That thought alone should send a shiver
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleydown the spine of any sys-admin.<p>
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob HalleyOne solution is to disable that part of SSI. To do that you use the
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob HalleyIncludesNOEXEC option to the <A HREF="/mod/core.html#options">Options</A>
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleydirective.<p>
f6f1672b4e460571c418e43ae3bd0fae97e4c149Mark Andrews<P>Allowing users to execute <B>CGI</B> scripts in any directory should only
f6f1672b4e460571c418e43ae3bd0fae97e4c149Mark Andrewsbe considered if;
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley <LI>You trust your users not to write scripts which will deliberately or
bc9515e5a2a1618c9b7927de50be4d3ee87c77f2Brian Wellingtonaccidentally expose your system to an attack.
5d23a6ac8392b1eeec8effdee47fb725ace1e759Evan Hunt <LI>You consider security at your site to be so feeble in other areas, as to
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleymake one more potential hole irrelevant.
ca9739800f045cd4d39014f98b920d4354b5bd14Michael Graff <LI>You have no users, and nobody ever visits your server.
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halley<P>Limiting <B>CGI</B> to special directories gives the admin control over
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleywhat goes into those directories. This is inevitably more secure than
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleynon script aliased CGI, but <strong>only if users with write access to the
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob Halleydirectories are trusted</strong> or the admin is willing to test each new CGI
7e6c9a9a733f7a57ace98e4692573f42a2cad0edBob HalleyMost sites choose this option over the non script aliased CGI approach.<p>
eeaa2277ead6df7253a8958ee2d786f73e05b8beTatuya JINMEI 神明達哉<P>Always remember that you must trust the writers of the CGI script/programs
f1f2f8bd47370a231c5c700ef918bd6ad6c7d042Andreas Gustafssonor your ability to spot potential security holes in CGI, whether they were
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian Wellingtondeliberate or accidental.<p>
6017f424ee3c02d7f22132c77576ea38542fa949Andreas GustafssonAll the CGI scripts will run as the same user, so they have potential to
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian Wellingtonconflict (accidentally or deliberately) with other scripts e.g.
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian WellingtonUser A hates User B, so he writes a script to trash User B's CGI
6017f424ee3c02d7f22132c77576ea38542fa949Andreas Gustafssondatabase. One program which can be used to allow scripts to run
a4b6a1622b1b6672a6e0c7186167bbe3997568c6Bob Halleyas different users is <A HREF="/suexec.html">suEXEC</A> which is
a4b6a1622b1b6672a6e0c7186167bbe3997568c6Bob Halleyincluded with Apache as of 1.2 and is called from special hooks in
a4b6a1622b1b6672a6e0c7186167bbe3997568c6Bob Halleythe Apache server code. Another popular way of doing this is with
a4b6a1622b1b6672a6e0c7186167bbe3997568c6Bob Halley<A HREF="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</A>. <P>
253f25f7ffaad40238f4d96ce29b6aee7e3ddbd8James Brister<H2>Stopping users overriding system wide settings...</H2>
2c02438f8481eb3f64b713244df5442ae61955a3David Lawrence<P>To run a really tight ship, you'll want to stop users from setting
253f25f7ffaad40238f4d96ce29b6aee7e3ddbd8James Bristerup <CODE>.htaccess</CODE> files which can override security features
90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellingtonyou've configured. Here's one way to do it...<p>
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David LawrenceIn the server configuration file, put
3a30493983df83a3184dd1ecd39cf31ccdac3badEvan Hunt<Directory /> <br>
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark AndrewsAllowOverride None <br>
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark AndrewsOptions None <br>
351b62535d4c4f89883bfdba025999dd32490266Evan Huntallow from all <br>
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt</Directory> <br>
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian WellingtonThen setup for specific directories<P>
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian WellingtonThis stops all overrides, Includes and accesses in all directories apart
8a23742754e4640a298acb0d6bd7ed4da0c11798Brian Wellingtonfrom those named.<p>
e2fb08b85de8158fe6b71008311e3d98104b92a6Mark Andrews Protect server files by default
2c02438f8481eb3f64b713244df5442ae61955a3David LawrenceOne aspect of Apache which is occasionally misunderstood is the feature
2c02438f8481eb3f64b713244df5442ae61955a3David Lawrenceof default access. That is, unless you take steps to change it, if the
2c02438f8481eb3f64b713244df5442ae61955a3David Lawrenceserver can find its way to a file through normal URL mapping rules, it
2c02438f8481eb3f64b713244df5442ae61955a3David Lawrencecan serve it to clients.
2c02438f8481eb3f64b713244df5442ae61955a3David LawrenceFor instance, consider the following example:
b8257bd2d872546e7cc358fdf32331ce8850bca4Bob Halley <LI>Accessing <SAMP>http://localhost/~root/</SAMP>
25b95d31ce658326510bef979cf2909c6eddc428Mark AndrewsThis would allow clients to walk through the entire filesystem. To work
44fee668021c7ceef4ee1c848031d883a508b359James Bristeraround this, add the following block to your server's configuration:
08f860f800d32007a0c9bf456f6c35fbb2ecbc81Evan Hunt <Directory />
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt Order deny,allow
f6f1672b4e460571c418e43ae3bd0fae97e4c149Mark Andrews Deny from all
a435080fb8fd31cebc976f1b0af52fcc869dc8aaMark Andrews </Directory>
208e3e410dc49b8740f958f6e7e3b7151b2773e9Brian WellingtonThis will forbid default access to filesystem locations. Add
a435080fb8fd31cebc976f1b0af52fcc869dc8aaMark Andrews HREF="/mod/core.html#directory"
a435080fb8fd31cebc976f1b0af52fcc869dc8aaMark Andrewsblocks to allow access only
a435080fb8fd31cebc976f1b0af52fcc869dc8aaMark Andrewsin those areas you wish. For example,
d7a26a32f8812551ea6b62d88bde55fba9f85932Bob Halley Order deny,allow
b8257bd2d872546e7cc358fdf32331ce8850bca4Bob Halley Allow from all
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </Directory>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Order deny,allow
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Allow from all
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </Directory>
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark AndrewsPay particular attention to the interactions of
f5d0f495847eb4eb9f0058e73051f855800bee0bMark Andrews HREF="/mod/core.html#location"
082f42dcf2f38509a8c842013548f680a6ad06f3Mark Andrews HREF="/mod/core.html#directory"
48019314431389cca5f8eba7ee9aa5bc08a67f4eMark Andrewsdirectives; for instance, even if <SAMP><Directory /></SAMP>
43ee20a821c490fa5bb43df924e9970705c22ecfMichael Graffdenies access, a <SAMP><Location /></SAMP> directive might
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid LawrenceAlso be wary of playing games with the
HREF="/mod/mod_userdir.html#userdir"
<!--#include virtual="footer.html" -->