[SGVLUG] Securing Apache

Joel Witherspoon joel.witherspoon at gmail.com
Wed Jul 26 13:05:25 PDT 2006


"Those are symlinks.  Under Linux, symlinks are (almost) always 777."
Shit. That's right.

"My rule of thumb is have any file/directory that that apache does not
need to write to be owned "ANY" user other then apache."

Good rule. I'll put it in my book.

Thanks for the help guys.

On 7/26/06, Michael Proctor-Smith <mproctor13 at gmail.com> wrote:
>
> On 7/26/06, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> > If this is a dumb question, let me know.
> >
> > I'm running CentOS 4.3 with Apache 2 running as user:group
> Apache:Apache.
> >
> > My /var/www directories are owned by root:root all at 755
> > My /etc/httpd directories are owned by root:root and at 755
>
> The above on my systems are all root:root 644
> > except my logs,
> > modules and run - they are at 777
> actual modules are root:root 755, logs, modules andrtun are links
> hence 777 check the permission on actual files. Logs do not need to be
> owned or writeable by any other then root because they are opened
> before apache changes user from root.
>
>
> > I'm not providing user directories
> > I am using the cgi-bin
> I don't use cgi-bin so can't answer that.
> > I'm trying to secure my Apache system as much as possible.
> >
> > Should I change the directory user:groups to apache:apache for the
> > /etc/httpd and /var/www, /var/cgi-bin?
> NO!! Apache if some unknown code was run then apache change its
> configuration.
>
> > What is the best way to secure apache with this setup?
>
> My rule of thumb is have any file/directory that that apache does not
> need to write to be owned "ANY" user other then apache.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20060726/6d60edc7/attachment.html


More information about the SGVLUG mailing list