security_tips.html revision f75db2074138d0be9db72beb4bfb31bbe3e81960
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
5a58787efeb02a1c3f06569d019ad81fd2efa06end<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
5a58787efeb02a1c3f06569d019ad81fd2efa06end BGCOLOR="#FFFFFF"
5a58787efeb02a1c3f06569d019ad81fd2efa06end TEXT="#000000"
5a58787efeb02a1c3f06569d019ad81fd2efa06end LINK="#0000FF"
5a58787efeb02a1c3f06569d019ad81fd2efa06end VLINK="#000080"
5a58787efeb02a1c3f06569d019ad81fd2efa06end ALINK="#FF0000"
5a58787efeb02a1c3f06569d019ad81fd2efa06end<!--#include virtual="header.html" -->
5a58787efeb02a1c3f06569d019ad81fd2efa06end<H1 ALIGN="CENTER">Security Tips for Server Configuration</H1>
5a58787efeb02a1c3f06569d019ad81fd2efa06end<P>Some hints and tips on security issues in setting up a web server. Some of
5a58787efeb02a1c3f06569d019ad81fd2efa06endthe suggestions will be general, others specific to Apache.
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd<H2><A NAME="serverroot">Permissions on ServerRoot Directories</A></H2>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd<P>In typical operation, Apache is started by the root
3b3b7fc78d1f5bfc2769903375050048ff41ff26nduser, and it switches to the user defined by the <A
5a58787efeb02a1c3f06569d019ad81fd2efa06endHREF="/mod/core.html#user"><STRONG>User</STRONG></A> directive to serve hits.
5a58787efeb02a1c3f06569d019ad81fd2efa06endAs is the case with any command that root executes, you must take care
5a58787efeb02a1c3f06569d019ad81fd2efa06endthat it is protected from modification by non-root users. Not only
5a58787efeb02a1c3f06569d019ad81fd2efa06endmust the files themselves be writeable only by root, but so must the
5a58787efeb02a1c3f06569d019ad81fd2efa06enddirectories, and parents of all directories. For example, if you
5a58787efeb02a1c3f06569d019ad81fd2efa06endchoose to place ServerRoot in <CODE>/usr/local/apache</CODE> then it is
5a58787efeb02a1c3f06569d019ad81fd2efa06endsuggested that you create that directory as root, with commands
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive mkdir bin conf logs
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive chown 0 . bin conf logs
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive chgrp 0 . bin conf logs
97a9a944b5887e91042b019776c41d5dd74557aferikabele chmod 755 . bin conf logs
f8396ed8364b56ec8adeaa49cac35a929758a29esliveIt is assumed that /, /usr, and /usr/local are only modifiable by root.
f8396ed8364b56ec8adeaa49cac35a929758a29esliveWhen you install the httpd executable, you should ensure that it is
5a58787efeb02a1c3f06569d019ad81fd2efa06endsimilarly protected:
117c1f888a14e73cdd821dc6c23eb0411144a41cnd<P>You can create an htdocs subdirectory which is modifiable by other
117c1f888a14e73cdd821dc6c23eb0411144a41cndusers -- since root never executes any files out of there, and shouldn't
117c1f888a14e73cdd821dc6c23eb0411144a41cndbe creating files in there.
117c1f888a14e73cdd821dc6c23eb0411144a41cnd<P>If you allow non-root users to modify any files that root either
117c1f888a14e73cdd821dc6c23eb0411144a41cndexecutes or writes on then you open your system to root compromises.
117c1f888a14e73cdd821dc6c23eb0411144a41cndFor example, someone could replace the httpd binary so that the next
117c1f888a14e73cdd821dc6c23eb0411144a41cndtime you start it, it will execute some arbitrary code. If the logs
117c1f888a14e73cdd821dc6c23eb0411144a41cnddirectory is writeable (by a non-root user), someone
117c1f888a14e73cdd821dc6c23eb0411144a41cndcould replace a log file with a symlink to some other system file,
117c1f888a14e73cdd821dc6c23eb0411144a41cndand then root might overwrite that file with arbitrary data. If the
117c1f888a14e73cdd821dc6c23eb0411144a41cndlog files themselves are writeable (by a non-root user), then someone
117c1f888a14e73cdd821dc6c23eb0411144a41cndmay be able to overwrite the log itself with bogus data.
5a58787efeb02a1c3f06569d019ad81fd2efa06end<P>Server side includes (SSI) can be configured so that users can execute
5a58787efeb02a1c3f06569d019ad81fd2efa06endarbitrary programs on the server. That thought alone should send a shiver
5a58787efeb02a1c3f06569d019ad81fd2efa06enddown the spine of any sys-admin.<P>
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2ndOne solution is to disable that part of SSI. To do that you use the
5a58787efeb02a1c3f06569d019ad81fd2efa06endIncludesNOEXEC option to the <A HREF="/mod/core.html#options">Options</A>
5a58787efeb02a1c3f06569d019ad81fd2efa06enddirective.<P>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive<P>Allowing users to execute <STRONG>CGI</STRONG> scripts in any directory
06ba4a61654b3763ad65f52283832ebf058fdf1cslivebe considered if;
97a9a944b5887e91042b019776c41d5dd74557aferikabele <LI>You trust your users not to write scripts which will deliberately or
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7sliveaccidentally expose your system to an attack.
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <LI>You consider security at your site to be so feeble in other areas, as to
06ba4a61654b3763ad65f52283832ebf058fdf1cslivemake one more potential hole irrelevant.
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd <LI>You have no users, and nobody ever visits your server.
97a9a944b5887e91042b019776c41d5dd74557aferikabele<P>Limiting <STRONG>CGI</STRONG> to special directories gives the admin
92510838f2eb125726e15c5eb4f7a23c7a0396e4slivecontrol over
92510838f2eb125726e15c5eb4f7a23c7a0396e4slivewhat goes into those directories. This is inevitably more secure than
97a9a944b5887e91042b019776c41d5dd74557aferikabelenon script aliased CGI, but <STRONG>only if users with write access to the
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slivedirectories are trusted</STRONG> or the admin is willing to test each new CGI
92510838f2eb125726e15c5eb4f7a23c7a0396e4sliveMost sites choose this option over the non script aliased CGI approach.<P>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<P>Always remember that you must trust the writers of the CGI script/programs
97a9a944b5887e91042b019776c41d5dd74557aferikabeleor your ability to spot potential security holes in CGI, whether they were
97a9a944b5887e91042b019776c41d5dd74557aferikabeledeliberate or accidental.<P>
92510838f2eb125726e15c5eb4f7a23c7a0396e4sliveAll the CGI scripts will run as the same user, so they have potential to
97a9a944b5887e91042b019776c41d5dd74557aferikabeleconflict (accidentally or deliberately) with other scripts e.g.
92510838f2eb125726e15c5eb4f7a23c7a0396e4sliveUser A hates User B, so he writes a script to trash User B's CGI
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nddatabase. One program which can be used to allow scripts to run
ea8a727ff298d2f5368b55b7ae8d87091ae106e7ndas different users is <A HREF="/suexec.html">suEXEC</A> which is
ea8a727ff298d2f5368b55b7ae8d87091ae106e7ndincluded with Apache as of 1.2 and is called from special hooks in
ea8a727ff298d2f5368b55b7ae8d87091ae106e7ndthe Apache server code. Another popular way of doing this is with
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd<A HREF="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</A>. <P>
e8d485701957d5c6de870111c112e168a894d49and<H2>Stopping users overriding system wide settings...</H2>
e8d485701957d5c6de870111c112e168a894d49and<P>To run a really tight ship, you'll want to stop users from setting
e8d485701957d5c6de870111c112e168a894d49andup <CODE>.htaccess</CODE> files which can override security features
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7sliveyou've configured. Here's one way to do it...<P>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7sliveIn the server configuration file, put
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive<Directory /> <BR>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7sliveAllowOverride None <BR>
06ba4a61654b3763ad65f52283832ebf058fdf1csliveOptions None <BR>
97a9a944b5887e91042b019776c41d5dd74557aferikabeleallow from all <BR>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive</Directory> <BR>
5a58787efeb02a1c3f06569d019ad81fd2efa06endThen setup for specific directories<P>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7ndThis stops all overrides, Includes and accesses in all directories apart
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7ndfrom those named.<P>
5a58787efeb02a1c3f06569d019ad81fd2efa06end Protect server files by default
HREF="/mod/mod_userdir.html#userdir"
<!--#include virtual="footer.html" -->