security_tips.xml revision d94fadc8231669a4e710869f290ed57a8232a61d
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">
97a9a944b5887e91042b019776c41d5dd74557aferikabele<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive<manualpage>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <p>Some hints and tips on security issues in setting up a web server.
5a58787efeb02a1c3f06569d019ad81fd2efa06end Some of the suggestions will be general, others specific to Apache.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </summary>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <p>In typical operation, Apache is started by the root user, and it
5a58787efeb02a1c3f06569d019ad81fd2efa06end switches to the user defined by the <directive
5a58787efeb02a1c3f06569d019ad81fd2efa06end module="mpm_common">User</directive> directive to serve hits. As is the
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd case with any command that root executes, you must take care that it is
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd protected from modification by non-root users. Not only must the files
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd themselves be writeable only by root, but so must the directories, and
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd parents of all directories. For example, if you choose to place
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd ServerRoot in /usr/local/apache then it is suggested that you create
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd that directory as root, with commands like these:</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end mkdir bin conf logs <br />
5a58787efeb02a1c3f06569d019ad81fd2efa06end chown 0 . bin conf logs <br />
5a58787efeb02a1c3f06569d019ad81fd2efa06end chgrp 0 . bin conf logs <br />
06ba4a61654b3763ad65f52283832ebf058fdf1cslive chmod 755 . bin conf logs
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <p>It is assumed that /, /usr, and /usr/local are only modifiable by
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive root. When you install the httpd executable, you should ensure that
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive it is similarly protected:</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <p>You can create an htdocs subdirectory which is modifiable by other
5a58787efeb02a1c3f06569d019ad81fd2efa06end users -- since root never executes any files out of there, and shouldn't
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd be creating files in there.</p>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <p>If you allow non-root users to modify any files that root either
117c1f888a14e73cdd821dc6c23eb0411144a41cnd executes or writes on then you open your system to root compromises.
117c1f888a14e73cdd821dc6c23eb0411144a41cnd For example, someone could replace the httpd binary so that the next
117c1f888a14e73cdd821dc6c23eb0411144a41cnd time you start it, it will execute some arbitrary code. If the logs
117c1f888a14e73cdd821dc6c23eb0411144a41cnd directory is writeable (by a non-root user), someone could replace
117c1f888a14e73cdd821dc6c23eb0411144a41cnd a log file with a symlink to some other system file, and then root
117c1f888a14e73cdd821dc6c23eb0411144a41cnd might overwrite that file with arbitrary data. If the log files
117c1f888a14e73cdd821dc6c23eb0411144a41cnd themselves are writeable (by a non-root user), then someone may be
117c1f888a14e73cdd821dc6c23eb0411144a41cnd able to overwrite the log itself with bogus data.</p>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd </section>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <p>Server Side Includes (SSI) present a server administrator with
5a58787efeb02a1c3f06569d019ad81fd2efa06end several potential security risks.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <p>The first risk is the increased load on the server. All
5a58787efeb02a1c3f06569d019ad81fd2efa06end SSI-enabled files have to be parsed by Apache, whether or not
5a58787efeb02a1c3f06569d019ad81fd2efa06end there are any SSI directives included within the files. While this
5a58787efeb02a1c3f06569d019ad81fd2efa06end load increase is minor, in a shared server environment it can become
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd significant.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <p>SSI files also pose the same risks that are associated with CGI
5a58787efeb02a1c3f06569d019ad81fd2efa06end scripts in general. Using the "exec cmd" element, SSI-enabled files
5a58787efeb02a1c3f06569d019ad81fd2efa06end can execute any CGI script or program under the permissions of the
5a58787efeb02a1c3f06569d019ad81fd2efa06end user and group Apache runs as, as configured in httpd.conf.</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>There are ways to enhance the security of SSI files while still
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick taking advantage of the benefits they provide.</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>To isolate the damage a wayward SSI file can cause, a server
06ba4a61654b3763ad65f52283832ebf058fdf1cslive administrator can enable <a href="/suexec.html">suexec</a> as
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd described in the <a href="#cgi">CGI in General</a> section</p>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <p>Enabling SSI for files with .html or .htm extensions can be
06ba4a61654b3763ad65f52283832ebf058fdf1cslive dangerous. This is especially true in a shared, or high traffic,
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive server environment. SSI-enabled files should have a separate extension,
97a9a944b5887e91042b019776c41d5dd74557aferikabele such as the conventional .shtml. This helps keep server load at a
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive minimum and allows for easier management of risk.</p>
97a9a944b5887e91042b019776c41d5dd74557aferikabele <p>Another solution is to disable the ability to run scripts and
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive programs from SSI pages. To do this replace <code>Includes</code>
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive module="core">Options</directive> directive. Note that users may
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive still use >--#include virtual="..." --< to execute CGI scripts if
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick these scripts are in directories desginated by a <directive
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick module="mod_alias">ScriptAlias</directive> directive.</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>First of all, you always have to remember that you must trust the
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick writers of the CGI scripts/programs or your ability to spot potential
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick security holes in CGI, whether they were deliberate or accidental. CGI
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick scripts can run essentially arbitrary commands on your system with the
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick permissions of the web server user and can therefore be extremely
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick dangerous if they are not carefully checked.</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>All the CGI scripts will run as the same user, so they have potential
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick to conflict (accidentally or deliberately) with other scripts e.g. User
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick A hates User B, so he writes a script to trash User B's CGI database. One
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick program which can be used to allow scripts to run as different users is
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <a href="/suexec.html">suEXEC</a> which is included with Apache as of
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick 1.2 and is called from special hooks in the Apache server code. Another
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick popular way of doing this is with
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>.</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>Allowing users to execute CGI scripts in any directory should only be
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick considered if;</p>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <li>You trust your users not to write scripts which will deliberately
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick or accidentally expose your system to an attack.</li>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <li>You consider security at your site to be so feeble in other areas,
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive as to make one more potential hole irrelevant.</li>
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive <li>You have no users, and nobody ever visits your server.</li>
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd </section>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <p>Limiting CGI to special directories gives the admin control over what
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd goes into those directories. This is inevitably more secure than non
06ba4a61654b3763ad65f52283832ebf058fdf1cslive script aliased CGI, but only if users with write access to the
e8d485701957d5c6de870111c112e168a894d49and directories are trusted or the admin is willing to test each
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <p>Most sites choose this option over the non script aliased CGI
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive approach.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end Embedded scripting options which run as part of the server itself,
5a58787efeb02a1c3f06569d019ad81fd2efa06end such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd identity of the server itself (see the <directive
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd module="mpm_common">User</directive> directive), and therefore
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd scripts executed by these engines potentially can access anything the
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd server user can. Some scripting engines may provide restrictions, but
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd it is better to be safe and assume not.</p>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </section>
[Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied