You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/09/19 19:04:04 UTC

DO NOT REPLY [Bug 12822] New: - documentation suggests insecure file permissions

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12822>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12822

documentation suggests insecure file permissions

           Summary: documentation suggests insecure file permissions
           Product: Apache httpd-1.3
           Version: 1.3.26
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: hlein@progressive-comp.com


This is minor, but: auth.html in the manual suggests file ownership/permissions 
for any htpasswd-generated password file which could be stricter.  From the 
documentation which shipped with 1.3.26 (2.0.x may be identical; I haven't 
checked): 
 
"Nevertheless, you should store the file in as secure a location as possible, 
with whatever minimum permissions on the file so that the web server itself can 
read the file. For example, if your server is configured to run as user nobody 
and group nogroup, then you should set permissions on the file so that only 
that user can read the file:" 
 
...This much I agree with.  However, the suggestion is then made: 
 
"chown nobody.nogroup /usr/local/apache/passwd/passwords 
chmod 640 /usr/local/apache/passwd/passwords" 
 
I think root.nogroup, mode 640, would be more appropriate in the above example: 
unless the webserver is meant to maintain (modify) the password file(s), there 
is no reason for the apache-user to own the file.  In fact the ownership 
suggested in the manual allows any malicious CGI, etc to modify the password 
file.  This is not too big a deal however, since malicious CGIs running as the 
apache user can already tamper with the running server child processes, bypass 
htaccess restrictions and access the filesystem directly, etc.  However, 
recommending least-privilege should do exactly that, recommend the least 
privilege necessary :)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org