Introduction to the Apache Web Server - ApacheCon

More documents

Recommendations

Info

19.2 File permissions The overriding goal in your file permissions, as with any security precaution, is to be as paranoid as possible. Set file permissions at the most restrictive possible level which still allows people to get their work done. Security is inconvenient. Get over it. Getting hacked is more inconvenient. Train yourself to think in terms of what damage a malicious person could cause if they had the urge to do so. Remember that the server runs as the nobody user (or whatever you have User set to) in the nobody group (or whatever you have Group set to) and that any web-based attacks will be run as that userID. So no files should be owned by, or writeable by, that user and/or group. (Note that I’ll contradict this in the DAV chapter ( 22), but will provide a way around that.) There are a few small exeptions to this, and even there, you should be careful. 19.2.1 Content directories The content directories (cgi-bin, htdocs, and icons) have the unfortunate requirement that the content in them will need to be modified from time to time. Thus, you’ll have to give someone write permission to those directories. And, at the same time, you’ll need to give the Apache user read permission to those directories. Clearly identify the group of people that should have write permission to this content. Put those users in a user group, and give that group write access to that directory. The icons directory is a little different, since the content in there never actually changes (on most servers) and so can safely remain unwriteable. The directory can be 755, and the content in it be 644, all owned by root. 19.2.2 Library Library directories (libexec and include) contain files that are needed by Apache at startup, and are not required by anyone else at any other time. In particular, libexec contains the modules which you have built as shared objects, and include contains files that may be needed when building modules using apxs. Solely for the purposes of Apache, these directories may be made mode 700, since the only time they are needed is during startup, when Apache is root, and has not yet relinquished its priveleges. And you don’t want anyone to have an opportunity to meddle with these files. Some folks say that this is being overly paranoid. 19.2.3 bin The bin directory is a little bit of a mixed bag, in that it contains files that you want everyone to have access to (or you might) and several that you don’t. This somewhat depends on how paranoid you are. The directory itself must NEVER be writeable. 116
drwxr-xr-x 2 root root 4096 Mar 30 20:27 . drwxr-xr-x 12 root root 4096 Mar 30 20:27 .. -rwxr-xr-x 1 root root 43452 Mar 30 20:27 ab -rwxr-xr-x 1 root root 7107 Mar 30 20:27 apachectl -rwxr-xr-x 1 root root 26591 Mar 30 20:27 apxs -rwxr-xr-x 1 root root 3636 Mar 30 20:27 checkgid -rwxr-xr-x 1 root root 10937 Mar 30 20:27 dbmmanage -rwxr-xr-x 1 root root 12788 Mar 30 20:27 htdigest -rwxr-xr-x 1 root root 35464 Mar 30 20:27 htpasswd -rwxr-xr-x 1 root root 489980 Mar 30 20:27 httpd -rwxr-xr-x 1 root root 7288 Mar 30 20:27 logresolve -rwxr-xr-x 1 root root 5944 Mar 30 20:27 rotatelogs -rws--x--x 1 root root 10476 Mar 30 20:27 suexec Users (ie, not root) will routinely have need of the htpasswd and htdigest utilities, and possibly also the dbmmanage utility, to create password files for use with authentication. Users may wish to run httpd -v or httpd -l, for example, to get additional information about the apache server. They should probably be permitted to do this, so that they don’t have to contact you every time they have a question. Users probably do not need to have access to apachectl, ab, and logresolve. These files can safely be made mode 700. You should not alter the permissions on suexec or rotatelogs, as they will be run by the unprivileged Apache processes. checkgid is only used, if ever, at install. 19.2.4 logs The logs directory must never be writeable by any user other than root. If another user can write to the logs directory, they can compromise Apache and gain root-level access to your server. The log files themselves are created by Apache, and you should not modify their permissions. 19.2.5 proxy If you are running mod proxy, then you may have a proxy directory created on server install. This directory will be owned by the nobody user, or whatever user Apache is configured to run as, because Apache will need to write content to the proxy cache while it is running. This is one of the very few exceptions to the rule that nothing should be owned by the Apache user. And some people will say that even this poses a security risk, as a clever CGI program, for example, could modify content in the cache, and cause a user to send sensitive data to one place, while believing it was going somewhere else. 117
Page 1:
Introduction to the Apache Web Serv
Page 4 and 5:
3.1 Apache process architecture . .
Page 6 and 7:
8.3 Alias . . . . . . . . . . . . .
Page 8 and 9:
13 SSI 75 13.1 Configuration for SS
Page 10 and 11:
16.5 Typical errors . . . . . . . .
Page 12 and 13:
19.8 Modules . . . . . . . . . . .
Page 14 and 15:
23.1 Caching . . . . . . . . . . .
Page 16 and 17:
He wrote the CERN web server, and t
Page 18 and 19:
• provide a foundation for open,
Page 20 and 21:
This is a good point to encourage d
Page 22 and 23:
• htdocs • icons Show the stude
Page 24 and 25:
./configure --help ./configure --pr
Page 26 and 27:
2.6 apxs apxs is a Perl utility for
Page 28 and 29:
The “correct” value for these d
Page 30 and 31:
• Some modules, like mod php, don
Page 32 and 33:
• help apachectl symlink You may
Page 35 and 36:
Section 4 Configuration files http:
Page 37 and 38:
directory - Can be used in a secti
Page 39 and 40:
httpd -DUSESSL Then you could add a
Page 41 and 42:
Section 5 .htaccess files 5.1 Confi
Page 43:
5.3 Exercise Create .htaccess file
Page 46 and 47:
ServerName www.foo.com DocumentRoot
Page 48 and 49:
3. Verify that they are serving con
Page 51 and 52:
Section 7 MIME http://httpd.apache.
Page 53 and 54:
AddType application/x-tar tgz Note
Page 55 and 56:
7.4.3 mod gzip More will be said ab
Page 57 and 58:
Section 8 URL Mapping http://httpd.
Page 59 and 60:
Equivalent to ... Alias /cgi-bin/ /
Page 61 and 62:
Then /cgi-bin/404.cgi will look lik
Page 63 and 64:
----------------------------- The
Page 65:
UserDir disabled UserDir enabled rb
Page 68 and 69:
9.2 Negotiation Methods 9.2.1 Multi
Page 70 and 71:
Note, however, that CacheNegotiated
Page 72 and 73:
10.3 IndexOptions The arguments to
Page 74 and 75:
10.4 Additional directives In addit
Page 77 and 78:
Section 11 Performance Tuning http:
Page 79 and 80: 11.5 Tuning configuration settings
Page 81: 11.5.6 mod mmap static Map static f
Page 84 and 85: - JSP - etc, etc, etc • Each addr
Page 86 and 87: #!/usr/bin/perl use CGI; my $cgi =
Page 89 and 90: Section 13 SSI http://httpd.apache.
Page 91 and 92: SSIStartTag "" 13.4 SSI directives
Page 93: Most commonly, include is used to i
Page 96 and 97: SetHandler Much like the AddHandler
Page 98 and 99: advertising a page that has moved,
Page 100 and 101: AddHandler type-map .var 14.1.3 Cus
Page 102 and 103: AddOutputFilterByType DEFLATE text/
Page 104 and 105: 15.4 Configuration 15.4.1 PerlRequi
Page 106 and 107: Wow. 15.6.2 Apache::Registry If you
Page 108 and 109: 15.8.2 Installing the example mod p
Page 110 and 111: package Acme::Apache::Werewolf; use
Page 112 and 113: • "GET / HTTP/1.0" Request - Meth
Page 114 and 115: 16.4 Exercises 1. Construct a log f
Page 116 and 117: • Precisely how many visitors •
Page 118 and 119: 16.9.2 rotatelogs CustomLog "|/usr/
Page 120 and 121: • Set configuration to use this f
Page 122 and 123: • mod auth nds (Netware Directory
Page 124 and 125: 110
Page 126 and 127: • etc • Also, names like ’ema
Page 128 and 129: 114
Page 132 and 133: 19.2.6 public html If users have we
Page 134 and 135: 19.3.3 ServerSignature Automaticall
Page 136 and 137: * Don’t put important things in t
Page 138 and 139: 19.10 mod security http://www.modse
Page 140 and 141: 126
Page 142 and 143: 20.3 Certificates • Generate a ke
Page 144 and 145: 130
Page 146 and 147: 21.1.2 Apache 2.0 modules: [access
Page 148 and 149: 21.6 mod auth Name mod auth On by d
Page 150 and 151: 21.13 mod cgi Name mod cgi On by de
Page 152 and 153: 21.21 mod include Name mod include
Page 154 and 155: Mapping files into memory to improv
Page 156 and 157: 21.35 mod status Name mod status On
Page 158 and 159: To enable DAV in a particular direc
Page 160 and 161: 23.2 Proxying The proxy part lets y
show all

Introduction to the Apache Web Server - ApacheCon

Create successful ePaper yourself

Delete template?

Save as template?