* Note that new files created may not have the right permissions on them
* May need to correct this with a periodic cron'ed chown/chmod.
* Is there an argument to chmod to make new files have the right attributes?
What I think you would want is to change the default umask of the users in question
'umask 022' is pretty typical, so probably want something less public.
Rich Bowen wrote:
On Sat, 21 Sep 2002, Rich Bowen wrote:
On Sat, 21 Sep 2002, Rich Bowen wrote:
I'm going to write up some of our observations over the next few days as
I have time, and was hoping to stir up a little interest so that when I
have something, some folks will be willing to take a look at it.
OK, please forgive the format. This is a "perlpoint" presentation that I put together for the class that I was teaching, and modified based on our findings.
One thing that I'd like to ask about is the deal with mod_mime. If I have a web site consisting *only* of DefaultType documents (say, if I set DefaultType to text/html), then why can't I run Apache without mod_mime?
When I tried (ie, ran Apache with only mod_dir and mod_log_config) and went to http://server/ I would get a 404 page, and the error log would say "file /usr/local/apache/htdocs/ not found"
Anyways, here's our findings. Comments welcome. I'd like to incorporate
these into the security doc, which is a little elderly and somewhat
sparse in these particular areas.
Crap. Forgot to attach it. Bah.
=Apache security
* Remove modules you're not using
* Set file permissions right
=Modules you're not using
* What is the minimal list of modules you can get away with?
* Why do you need them?
=Module list
* The minimal module list appears to be:
mod_dir mod_mime mod_log_config (optional, but recommended)
=mod_dir
* Provides DirectoryIndex directive
* People will want to look at http://servername/ and get something useful
=mod_mime
* Necessary if you are serving any files other than DefaultType ones
* For some reason, even DefaultType won't work without mod_mime
=mod_log_config
* You could get away with not running it
* Log files are a good thing if you are going for security
=File permissions
* Recommended file permissions in the docs are crap
* Can get much tighter than that
* Docs should list the I<minimum>, and let you go from there
* Note that directories have to have x in order to cd into them
* It is assumed that C<User> is set to C<www> and that C<Group> is set to C<www>
=ServerRoot
* ServerRoot itself should be root.www
* Should be read and execute for root and www
cd /usr/local/apache chown root.www . chmod 550 .
=bin
* The C<bin> directory itself should be C<root.root> and 500
* Files should be 100, except for the script files, which should be 500
* C<suexec> is suid, so should be 4100
chown root.root bin chmod 500 bin cd bin chmod 100 * chmod 500 apachectl dbmmanage apxs chmod 4100 suexec
=conf
* conf/ is only ever read by root
* Directory should be root.root
* Directory should be 500
* and files should be 400
chown -R root.root conf chmod 500 conf cd conf chmod 400 *
* Note that if you have subdirectories, they should have similar permissions
=cgi-bin and htdocs
* This also applies to other "content" directories
* Two scenarios we consider
* 1) A single content provider
* 2) 2 or more content providers
* Here, "provider" means the person that is producing and maintaining the content
* Other content directories, like C<icons>, should be treated similarly
=Content with one provider
* A single user creates and maintains content. Assume this user has a username C<content>
* Directory (htdocs or cgi-bin, for example) should be owned by C<content.www>
* The directory, and any subdirectories, should be 750
* The files should all be 640
chown -R content.www htdocs chmod 750 htdocs cd htdocs chmod 640 *
* Repeat for subdirectories as needed
=Content with more than one provider
* More than one user provides content
* Create a group called C<content> and put all these users in that group
* Directory should be owned by C<root.content>
* Directory, and any subdirectories, should be 574
* Files should be 664
chown -R root.content htdocs chmod 574 htdocs cd htdocs chmod 664 *
* Repeat for subdirectories as needed
=Multiple providers, cont'd
* Note that new files created may not have the right permissions on them
* May need to correct this with a periodic cron'ed chown/chmod.
* Is there an argument to chmod to make new files have the right attributes?
=include
* Owned by root.root
* Readable only by root
chown -R root.root include chmod 500 include cd include chmod 400 *
=libexec
* Only needed if you have modules built as shared objects
* If you do, then it should be readable only by root
chown -R root.root libexec chmod 500 libexec cd libexec chmod 400 *
=logs
* Logs directory has some caveats
* Standard log files are written as root (C<access_log> and C<error_log>)
* Some other modules log as C<www.root>
* So, here's the recommendation:
chown root.www logs chmod 770 logs
* Log files are created at startup, so there's no need to modify permissions inside the directory, as permissions will change next time you restart.
* Can modify C<mod_log_config.c> to create file without C<group> and C<other> readability if desired.
- static mode_t xfer_mode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + static mode_t xfer_mode = (S_IRUSR | S_IWUSR);
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
