Classnotes | UNIX03 | RecentChanges | Preferences Showing revision 3 As we learned in UNIX02/Apache Configuration, Apache's configuration files are typically located in /etc/httpd/conf or /etc/apache/conf. The main configuration file (and the one we will be concerned with today) is httpd.conf.
We will now examine some specific problems and fixes with respect to security under Apache.
Apache Ownership and Permissions
Traditionally, Apache opens the web-server on port 80. Because this port is under 1024, Apache must be started as root so that it may open the privileged TCP port. Thus, many people (and many UNIXes) setup Apache to run as root in spite of the grevious security concerns this will cause. (This is one of the reasons that some server administrators run httpd on port 8080.)
The desired setup (and the way that many Linux and BSD distributions default to) is to start Apache as root, and then switch to a non-privileged user after the initial port as been openned. The two most common choices for users to set Apache up as are nobody and httpd. The one consideration is to ensure that whomever Apache is set up as only service using that UID on the system (thus, if you do use nobody, make certain that no other daemon is running as it as well).
Protecting users from themselves
Apache allows for decentralized management of configuration via special files placed inside the web tree. The special files are usually called .htaccess, but any name can be specified in the AccessFileName directive. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories. The .htaccess files follow the same syntax as the main configuration files. Since .htaccess files are read on every request, changes made in these files take immediate effect.
.htaccess files can be quite useful, as they allow sub-sites freedom to modify system-wide defaults. They can also be used with respect to certain authentication schemes.
However, there is a real danger in allowing them to be placed haphazardly on your system. A danger exists where a non-priviledged user could maliciously modify/create an .htaccess file and overide global security parameters to undermine the system. Thus you want to be selective where on your web server you wish to allow .htaccess files to be respected.
To disable .htaccess, you must place the AllowOverride None directive inside a declaration for a directory.
If you wanted to disable it system-wide, then you would place it in the main directory declaration:
<Directory />
AllowOverride None
Options None
Allow from all
</Directory>
By default, Apache will be able to access any directory that is world readable, or is readable on Apache's UID or GID. This is probably not something you will want to leave unchecked.
You can prohibit Apache from accessing specific directories by making declarations for them and then setting the Deny from all directive.
For example, if I wanted to prevent Apache from ever accessing some confidential data stored in /http/html/conf_data, I would set a declaration like this
<Directory /http/html/conf_data>
Order deny, allow
Deny from all
</Directory>
Denying access by file extension
Unless told otherwise, Apache will access all files under the directories that it is allowed to use. This may be changed by using the Files declarations. They are placed under the Directory and .htaccess directives and before the Location directives. A first argument of "~" will enable wildcards, with ".", "*", and "$" matching any character, zero or more characters except for a "/", and the end of the line, respectively. A backslash removes the special property of the following character.
As an example, the following will prevent browsers from reading files ending in "~", .swp, .pl, or .exe :
<Files ~ "~$">
Order deny, allow
Deny from all
</Files>
<Files ~ "\.{swp|pl|exe}$">
Order deny, allow
Deny from all
</Files>
