[users@httpd] Apache Security

[Larry McFarlane <LM...@tconl.com>]

Hello,

Will someone let me know if I'm on the ball here.  I've just reviewed our 
production system and don't like what I see.

Apache starts up as root, creates the pid, and switches to the dodo user 
that you specify in the httpd.conf file.

An Admin should make sure that all of Apache's files (including your 
document root) is owned and grouped by root.

The attributes of the files in document root should have ReadWrite, Read, 
Read attributes.  CGI is out of the picture here and isn't relevant.

The reason for this is in case Apache is exploited, Apache won't be able 
to go on a rampage because the file system is protected by root.
Apache, now operating as the dodo user will in theory, be denied.

The only reason why I feel you should assign different users/groups to 
Apache's directory tree is when the server is a development/staging
server.  You wouuld probably want to do this if you want your developers 
access to specific directories/files and not overwrite someone else's
work.  When migrating to production, only a root user should be able to 
migrate the changes to ensure that all files maintain root permissions.

Any input would be greatly appreciated!


-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache Security

[Larry McFarlane <LM...@tconl.com>]

Joshua,

Sorry, I would really just like confirmation that my thinking is correct.

Larry

On Sat, 25 Oct 2003 23:24:27 -0400 (Eastern Daylight Time), Joshua Slive 
<jo...@slive.ca> wrote:

>
> On Sat, 25 Oct 2003, Larry McFarlane wrote:
>> Will someone let me know if I'm on the ball here.  I've just reviewed 
>> our
>> production system and don't like what I see.
>
> I really don't understand the question you are asking.  Can you be more
> specific about exactly what you want to know?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache Security

[Joshua Slive <jo...@slive.ca>]

On Sat, 25 Oct 2003, Larry McFarlane wrote:
> Will someone let me know if I'm on the ball here.  I've just reviewed our
> production system and don't like what I see.

I really don't understand the question you are asking.  Can you be more
specific about exactly what you want to know?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org