[techtalk] Re: Running Apache as Root.

[BiOFH]

Pitfalls abound and security holes can be multitudinous. (that sound 
scary enough? LOL)
The  Apache server generally is run by root. The User directive is 
used from there to set "who" serves up content. Running the server as 
a user other than root can (will) cause problems... in your case 
mod_admin (and mod_proxy if you use it) will choke, so you're 
probably better off as is. Just make sure the User directive is used 
properly. There are some basic tenants to follow , however, to 'help' 
reduce security incidents.

Disallow  user created .htaccess lists (if you have users on the 
server, that is).
Don't allow them (anyone. user or cracker) to get to the filesystem 
(root and the daemon still have access).
Disallow access to root "userdir" by anyone (the actual server still 
has access, just not anything served up)

Add the following to the server config file if you have users.
<Directory />
AllowOverride None
Options None
allow from all
</Directory>

<Directory />
Order deny,allow
Deny from all
  </Directory>
         
UserDir disabled root
(I haven't decided if the allow and deny cancel out...
also be sure to look for <Location />'s that might circumvent this)

Make sure no one but root can right to the serverroot directories (an 
their parents!).
This includes bin, conf, logs, the apache directory, etc.
You can then open up permissions for individual users on their directories.
If your logs dir is open for writing, a decent script kiddie can gain 
UID 0 or, at the very least, cause some havoc. A true cracker could 
own the system fairly quickly.

You're not allowing users to execute CGI, but I'll include this in 
case someone else is following this thread.
  When allowing CGI, consider using (and enforcing the use of) CGIwrap
  (http://wwwcgi.umr.edu/~cgiwrap/). If users are not executing CGI 
(or you have them using aliasing), tighten up permissions on the 
server's CGI area as tight as you can. And always -check your code- 
CGI exploits are the easiest to pull off by far.
All my Perl script CGIs which are visible for human consumption 
contain something like this:

use CGI::Carp 'fatalsToBrowser';

##################### DDoS Band-Aid ############################
$CGI::POST_MAX=1024 * 100;  # maximum of 100k posts
			# set lower use sites to alower value
$CGI::DISABLE_UPLOADS = 1;  # no uploads allowed


##################### ### script kiddie defense ################
## Calls must originate "here" (yourdomain.com).
if (($ENV{'HTTP_REFERER'}) && ($ENV{'HTTP_REFERER'} !~ 
/^http:\/\/YourDomain.com/)) {
print header;
print start_html('ERROR'),h1('Outside connections are not allowed')
print end_html;
exit 0;
  }
#####################

That's way more than I intended to write and there's plenty more... 
unfortunately.
And always in touch at http://httpd.apache.org/bug_report.html   =D
Good luck with this and keep your fingers crossed. :) Now... to catch up on all
this linuxchix mail I haven't read... hehe this one just caught my eye.
Maggie

>
>Message: 1
>Date: Fri, 6 Apr 2001 12:51:51 -0700 (PDT)
>From: Seageraves Caren <cgreat2002 at yahoo.com>
>To: techtalk at linuxchix.org
>Subject: [techtalk] Running Apache as Root.
>
><snipped>


-- -------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010408/93c4e3b2/attachment.xhtml