You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hiep Nguyen <hi...@ee.ucr.edu> on 2007/12/12 15:13:37 UTC
[users@httpd] security issue
hi list,
i installed apache on centos 5 and i have some questions regarding
security for apache. i read security tips on
http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,
but still need some advices from guru here.
/etc/httpd/conf/httpd.conf:
ServerRoot "/etc/httpd"
User apache
Group apache
DocumentRoot "/var/www/html"
as of now, /var/www/html/ belongs to root user & group.
but i have couple developers here that need to upload files to this folder
that i don't want to give out the root password. what should i change
/var/www/html/ folder to?
i also have a SSI folder (/var/www/html/includes) that i don't want any
web user to have access to because these includes files contain
user/password to mysql.
for example, at the beginning of /var/www/html/index.php, i have:
<?
include_once('/var/www/html/includes/global.php');
include_once('/var/www/html/includes/connect.php');
?>
i try to prevent web user doing this:
wget http://10.0.0.120/includes/global.php
but at the same time allow apache server to access files in
/var/www/html/inclues/ folder.
any idea/suggestion.
thank you,
t. hiep
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] security issue
Posted by "Neil A. Hillard" <ne...@agustawestland.com>.
Hi,
Karel Kubat wrote:
> Hi Hiep,
>
> On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
>
>> i installed apache on centos 5 and i have some questions regarding
>> security for apache. i read security tips on
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the
>> idea, but still need some advices from guru here.
>
>> /etc/httpd/conf/httpd.conf:
>> ServerRoot "/etc/httpd"
>> User apache
>> Group apache
>> DocumentRoot "/var/www/html"
>
>> as of now, /var/www/html/ belongs to root user & group.
>
> Make this apache:apache, it fits better with the User/Group specifiers
> above.
That's got to be a seriously bad move. Doing that will allow the user
that the web server is running as write access to the document root.
Someone posted earlier on the list about creating a group, etc. which
would seem a much better way of handling things.
>> but i have couple developers here that need to upload files to this
>> folder that i don't want to give out the root password. what should i
>> change /var/www/html/ folder to?
>
> Use apache:apache if you think that all developers are trustworthy ;-)
> Definitely not root:root. When you make the ownership change, verify
> that apache:apache may indeed read /var/www/html/.
See above. How are you suggesting the developers upload files? By
adding them to the apache group? Please see a previous post for a much
better solution.
HTH,
Neil.
--
Neil Hillard neil.hillard@agustawestland.com
AgustaWestland http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] security issue
Posted by Hiep Nguyen <hi...@ee.ucr.edu>.
On Wed, 12 Dec 2007, Karel Kubat wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Hiep,
>
> On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
>
>> i installed apache on centos 5 and i have some questions regarding security
>> for apache. i read security tips on
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,
>> but still need some advices from guru here.
>>
>> /etc/httpd/conf/httpd.conf:
>> ServerRoot "/etc/httpd"
>> User apache
>> Group apache
>> DocumentRoot "/var/www/html"
>>
>> as of now, /var/www/html/ belongs to root user & group.
>
> Make this apache:apache, it fits better with the User/Group specifiers above.
is there any security risk by changing /var/www/html/ to apache:apache?
how are the developers upload/download files?
should i create a user/group and let all of them use this user to
upload/download files?
>
>> but i have couple developers here that need to upload files to this folder
>> that i don't want to give out the root password. what should i change
>> /var/www/html/ folder to?
>
> Use apache:apache if you think that all developers are trustworthy ;-)
> Definitely not root:root. When you make the ownership change, verify that
> apache:apache may indeed read /var/www/html/.
how do i verify this?
>
>> i also have a SSI folder (/var/www/html/includes) that i don't want any web
>> user to have access to because these includes files contain user/password
>> to mysql.
>> for example, at the beginning of /var/www/html/index.php, i have:
>> <?
>> include_once('/var/www/html/includes/global.php');
>> include_once('/var/www/html/includes/connect.php');
>> ?>
>
> PHP includes this way locally, from the file system. There is no need to park
> these files in the docroot tree. E.g., stick them in /var/www/includes/,
> outside of /var/www/html. Then use
> include_once('/var/www/includes/global.php').
>
>> i try to prevent web user doing this:
>> wget http://10.0.0.120/includes/global.php
>> but at the same time allow apache server to access files in
>> /var/www/html/inclues/ folder.
>
> Definitely a good idea ;-)
> See above..
> HTH,
> --
> Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1)
> From the collection of Wise Quotes:
> "I'm not into working out. My philosophy: No
> pain, no pain." - Carol Leifer
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (Darwin)
>
> iD8DBQFHX/Ma23FrzRzybNURAuoUAJ9Oe+myyzOTcwXTgT2qfoe+lury+ACgmKXZ
> r8ZP+UpEyz5jPZAtYknFN2A=
> =SPCk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] security issue
Posted by Karel Kubat <ka...@e-tunity.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Hiep,
On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
> i installed apache on centos 5 and i have some questions regarding
> security for apache. i read security tips on http://
> httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,
> but still need some advices from guru here.
>
> /etc/httpd/conf/httpd.conf:
> ServerRoot "/etc/httpd"
> User apache
> Group apache
> DocumentRoot "/var/www/html"
>
> as of now, /var/www/html/ belongs to root user & group.
Make this apache:apache, it fits better with the User/Group
specifiers above.
> but i have couple developers here that need to upload files to this
> folder that i don't want to give out the root password. what
> should i change /var/www/html/ folder to?
Use apache:apache if you think that all developers are
trustworthy ;-) Definitely not root:root. When you make the ownership
change, verify that apache:apache may indeed read /var/www/html/.
> i also have a SSI folder (/var/www/html/includes) that i don't want
> any web user to have access to because these includes files contain
> user/password to mysql.
> for example, at the beginning of /var/www/html/index.php, i have:
> <?
> include_once('/var/www/html/includes/global.php');
> include_once('/var/www/html/includes/connect.php');
> ?>
PHP includes this way locally, from the file system. There is no need
to park these files in the docroot tree. E.g., stick them in /var/www/
includes/, outside of /var/www/html. Then use include_once('/var/www/
includes/global.php').
> i try to prevent web user doing this:
> wget http://10.0.0.120/includes/global.php
> but at the same time allow apache server to access files in /var/
> www/html/inclues/ folder.
Definitely a good idea ;-)
See above..
HTH,
--
Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1)
From the collection of Wise Quotes:
"I'm not into working out. My philosophy: No
pain, no pain." - Carol Leifer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFHX/Ma23FrzRzybNURAuoUAJ9Oe+myyzOTcwXTgT2qfoe+lury+ACgmKXZ
r8ZP+UpEyz5jPZAtYknFN2A=
=SPCk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org