Ruby on Rails Security Project - Journal - Apache 2 file privileges and modules

Thursday

15Mar

Apache 2 file privileges and modules

Thursday, March 15, 2007 at 8:35PM

File privileges

On Unix systems, the file and directory access privileges are crucial for security. If you let other people write files, that the root user also writes on or executes, then your root account could be compromised. For example, an attacker could modify the apache2ctl starting script and execute arbitrary code, next time the root user starts Apache. Someone with a write privilege on the log file directory could create a link to another file on the system, which will then be overwritten (if he overwrites /etc/passwd, nobody can login anymore). And if the log files itself are writable to non-root users, an attacker could cover his tracks. So important files, directories and its parents must be writable only by root, or the Apache user, respectively.

The following table shows which ownership and privileges the Apache files and directories should have. The ownership can be changed with the chown command, the privileges can be adjusted with the chmod command. Note, that the parent directories of these directories need to be modifiable only by root. All changes need to be performed in this order.

Subject	Ownership (user:group)	Privileges
Binary directory	root:root	755 (rwxr-xr-x)
Binary files, such as the httpd executable	root:root	511 (r-x--x--x)
Configuration directory and files	root:root	755 (rwxr-xr-x)
Log files and its directory	root:root	700 (rwx------)
Content files and directories	apache:apache	500 (r-x------)
Rails log and tmp directories and subdirectories	apache:apache	700 (rwx------)

More security tips also on in the Apache documentation.

Modules

Modules have to be chosen when compiling Apache, but, with the help of the mod_so module, they can be dynamically loaded or deactivated afterwards. It's best to compile Apache with the required modules. You can use the following command to see which modules Apache has been compiled with, i.e. which are always activated:

# apache2 -l # or httpd -l

The following modules are a good basic:

Core, Http_core and Mpm_common: these are always needed
Prefork or Worker MPM: read the first part to learn more about them
Mod_alias, everything with mod_auth..., Mod_log_config, Mod_mime, Mod_negotiation, Mod_setenvif: see the Apache documentation for more on these modules.
These are extensions, but you need them Mod_rewrite (if you use FastCGI, for example), Mod_so (to load modules dynamically)
you can generally disable these: Mod_cgi, Mod_cgid, Mod_actions, Mod_env (for CGI scripts), Mod_dir, Mod_autoindex (directory listings!), Mod_info, Mod_status (they provide sensitive information!)

To be continued...

Heiko |

95 Comments |

View Printer Friendly Version

Email Article to Friend

Reader Comments (95)

Xanax sideeffect....

May 22, 2007 |

Xanax sideeffect.

http://www.hicahs.colostate.edu/forum/topic.asp?TOPIC_ID=557

June 18, 2007 |

Acomplia

Free cartoon sex....

June 22, 2007 |

Cartoon sex.

[URL=http://phpbb1.info]fot1[/URL] http://link3.info

June 30, 2007 |

Bill

July 4, 2007 |

generic cialis

July 23, 2007 |

Phentermine

July 26, 2007 |

phentermine

...

July 31, 2007 |

Great Blog

great advice...

August 1, 2007 |

Great Blog

August 9, 2007 |

lugtybizer

vibyzacp bhqd dquiymbe rnfgpyt dvkawzgy uveqmpfjs ebjynf

August 29, 2007 |

frma qacy

August 30, 2007 |

casino

September 1, 2007 |

sentonuto

September 2, 2007 |

lesdixes

September 12, 2007 |

diklofter

September 15, 2007 |

hypegtyns

September 18, 2007 |

xanax online

September 24, 2007 |

wortaxeso

September 27, 2007 |

viaxadol

October 3, 2007 |

tramaviaphen

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>