[techtalk] Re: Running Apache as Root.
BiOFH
biofh at biofh.org
Sun Apr 8 22:34:52 EST 2001
Pitfalls abound and security holes can be multitudinous. (that sound
scary enough? LOL)
The Apache server generally is run by root. The User directive is
used from there to set "who" serves up content. Running the server as
a user other than root can (will) cause problems... in your case
mod_admin (and mod_proxy if you use it) will choke, so you're
probably better off as is. Just make sure the User directive is used
properly. There are some basic tenants to follow , however, to 'help'
reduce security incidents.
Disallow user created .htaccess lists (if you have users on the
server, that is).
Don't allow them (anyone. user or cracker) to get to the filesystem
(root and the daemon still have access).
Disallow access to root "userdir" by anyone (the actual server still
has access, just not anything served up)
Add the following to the server config file if you have users.
<Directory />
AllowOverride None
Options None
allow from all
</Directory>
<Directory />
Order deny,allow
Deny from all
</Directory>
UserDir disabled root
(I haven't decided if the allow and deny cancel out...
also be sure to look for <Location />'s that might circumvent this)
Make sure no one but root can right to the serverroot directories (an
their parents!).
This includes bin, conf, logs, the apache directory, etc.
You can then open up permissions for individual users on their directories.
If your logs dir is open for writing, a decent script kiddie can gain
UID 0 or, at the very least, cause some havoc. A true cracker could
own the system fairly quickly.
You're not allowing users to execute CGI, but I'll include this in
case someone else is following this thread.
When allowing CGI, consider using (and enforcing the use of) CGIwrap
(http://wwwcgi.umr.edu/~cgiwrap/). If users are not executing CGI
(or you have them using aliasing), tighten up permissions on the
server's CGI area as tight as you can. And always -check your code-
CGI exploits are the easiest to pull off by far.
All my Perl script CGIs which are visible for human consumption
contain something like this:
use CGI::Carp 'fatalsToBrowser';
##################### DDoS Band-Aid ############################
$CGI::POST_MAX=1024 * 100; # maximum of 100k posts
# set lower use sites to alower value
$CGI::DISABLE_UPLOADS = 1; # no uploads allowed
##################### ### script kiddie defense ################
## Calls must originate "here" (yourdomain.com).
if (($ENV{'HTTP_REFERER'}) && ($ENV{'HTTP_REFERER'} !~
/^http:\/\/YourDomain.com/)) {
print header;
print start_html('ERROR'),h1('Outside connections are not allowed')
print end_html;
exit 0;
}
#####################
That's way more than I intended to write and there's plenty more...
unfortunately.
And always in touch at http://httpd.apache.org/bug_report.html =D
Good luck with this and keep your fingers crossed. :) Now... to catch up on all
this linuxchix mail I haven't read... hehe this one just caught my eye.
Maggie
>
>Message: 1
>Date: Fri, 6 Apr 2001 12:51:51 -0700 (PDT)
>From: Seageraves Caren <cgreat2002 at yahoo.com>
>To: techtalk at linuxchix.org
>Subject: [techtalk] Running Apache as Root.
>
><snipped>
-- -------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010408/93c4e3b2/attachment.xhtml
More information about the Techtalk
mailing list