On Sat, 21 Sep 2002, Rich Bowen wrote:
> On Sat, 21 Sep 2002, Rich Bowen wrote:
>
> > I'm going to write up some of our observations over the next few days as
> > I have time, and was hoping to stir up a little interest so that when I
> > have something, some folks will be willing to take a look at it.
>
> OK, please forgive the format. This is a "perlpoint" presentation that I
> put together for the class that I was teaching, and modified based on
> our findings.
>
> One thing that I'd like to ask about is the deal with mod_mime. If I
> have a web site consisting *only* of DefaultType documents (say, if I
> set DefaultType to text/html), then why can't I run Apache without
> mod_mime?
>
> When I tried (ie, ran Apache with only mod_dir and mod_log_config) and
> went to http://server/ I would get a 404 page, and the error log would
> say "file /usr/local/apache/htdocs/ not found"
>
> Anyways, here's our findings. Comments welcome. I'd like to incorporate
> these into the security doc, which is a little elderly and somewhat
> sparse in these particular areas.
Crap. Forgot to attach it. Bah.
=Apache security
* Remove modules you're not using
* Set file permissions right
=Modules you're not using
* What is the minimal list of modules you can get away with?
* Why do you need them?
=Module list
* The minimal module list appears to be:
mod_dir
mod_mime
mod_log_config (optional, but recommended)
=mod_dir
* Provides DirectoryIndex directive
* People will want to look at http://servername/ and get something useful
=mod_mime
* Necessary if you are serving any files other than DefaultType ones
* For some reason, even DefaultType won't work without mod_mime
=mod_log_config
* You could get away with not running it
* Log files are a good thing if you are going for security
=File permissions
* Recommended file permissions in the docs are crap
* Can get much tighter than that
* Docs should list the I<minimum>, and let you go from there
* Note that directories have to have x in order to cd into them
* It is assumed that C<User> is set to C<www> and that C<Group> is set to C<www>
=ServerRoot
* ServerRoot itself should be root.www
* Should be read and execute for root and www
cd /usr/local/apache
chown root.www .
chmod 550 .
=bin
* The C<bin> directory itself should be C<root.root> and 500
* Files should be 100, except for the script files, which should be 500
* C<suexec> is suid, so should be 4100
chown root.root bin
chmod 500 bin
cd bin
chmod 100 *
chmod 500 apachectl dbmmanage apxs
chmod 4100 suexec
=conf
* conf/ is only ever read by root
* Directory should be root.root
* Directory should be 500
* and files should be 400
chown -R root.root conf
chmod 500 conf
cd conf
chmod 400 *
* Note that if you have subdirectories, they should have similar permissions
=cgi-bin and htdocs
* This also applies to other "content" directories
* Two scenarios we consider
* 1) A single content provider
* 2) 2 or more content providers
* Here, "provider" means the person that is producing and maintaining the
content
* Other content directories, like C<icons>, should be treated similarly
=Content with one provider
* A single user creates and maintains content. Assume this user has a username
C<content>
* Directory (htdocs or cgi-bin, for example) should be owned by C<content.www>
* The directory, and any subdirectories, should be 750
* The files should all be 640
chown -R content.www htdocs
chmod 750 htdocs
cd htdocs
chmod 640 *
* Repeat for subdirectories as needed
=Content with more than one provider
* More than one user provides content
* Create a group called C<content> and put all these users in that group
* Directory should be owned by C<root.content>
* Directory, and any subdirectories, should be 574
* Files should be 664
chown -R root.content htdocs
chmod 574 htdocs
cd htdocs
chmod 664 *
* Repeat for subdirectories as needed
=Multiple providers, cont'd
* Note that new files created may not have the right permissions on them
* May need to correct this with a periodic cron'ed chown/chmod.
* Is there an argument to chmod to make new files have the right attributes?
=include
* Owned by root.root
* Readable only by root
chown -R root.root include
chmod 500 include
cd include
chmod 400 *
=libexec
* Only needed if you have modules built as shared objects
* If you do, then it should be readable only by root
chown -R root.root libexec
chmod 500 libexec
cd libexec
chmod 400 *
=logs
* Logs directory has some caveats
* Standard log files are written as root (C<access_log> and C<error_log>)
* Some other modules log as C<www.root>
* So, here's the recommendation:
chown root.www logs
chmod 770 logs
* Log files are created at startup, so there's no need to modify permissions
inside the directory, as permissions will change next time you restart.
* Can modify C<mod_log_config.c> to create file without C<group> and C<other>
readability if desired.
- static mode_t xfer_mode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ static mode_t xfer_mode = (S_IRUSR | S_IWUSR);
--
Rich Bowen - [EMAIL PROTECTED]
Author - Apache Administrator's Guide
http://www.ApacheAdmin.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
