[SGVLUG] Securing Apache
Michael Proctor-Smith
mproctor13 at gmail.com
Wed Jul 26 12:01:32 PDT 2006
On 7/26/06, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> If this is a dumb question, let me know.
>
> I'm running CentOS 4.3 with Apache 2 running as user:group Apache:Apache.
>
> My /var/www directories are owned by root:root all at 755
> My /etc/httpd directories are owned by root:root and at 755
The above on my systems are all root:root 644
> except my logs,
> modules and run - they are at 777
actual modules are root:root 755, logs, modules andrtun are links
hence 777 check the permission on actual files. Logs do not need to be
owned or writeable by any other then root because they are opened
before apache changes user from root.
> I'm not providing user directories
> I am using the cgi-bin
I don't use cgi-bin so can't answer that.
> I'm trying to secure my Apache system as much as possible.
>
> Should I change the directory user:groups to apache:apache for the
> /etc/httpd and /var/www, /var/cgi-bin?
NO!! Apache if some unknown code was run then apache change its configuration.
> What is the best way to secure apache with this setup?
My rule of thumb is have any file/directory that that apache does not
need to write to be owned "ANY" user other then apache.
More information about the SGVLUG
mailing list