You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2002/11/07 04:03:33 UTC
cvs commit: httpd-2.0/docs/manual/misc security_tips.html.en security_tips.xml
rbowen 2002/11/06 19:03:33
Modified: docs/manual/misc security_tips.html.en security_tips.xml
Log:
As per discussion on users@httpd.apache.org and a little on IRC, clarify
that "third party" modules can do basically whatever they want, and
typically do it as the "User" uid, so Caveat Administrator
Revision Changes Path
1.6 +13 -1 httpd-2.0/docs/manual/misc/security_tips.html.en
Index: security_tips.html.en
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.html.en,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- security_tips.html.en 10 Sep 2002 01:41:49 -0000 1.5
+++ security_tips.html.en 7 Nov 2002 03:03:32 -0000 1.6
@@ -7,7 +7,7 @@
--><title>Security Tips - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.0</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
<p>Some hints and tips on security issues in setting up a web server.
Some of the suggestions will be general, others specific to Apache.</p>
- </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
+ </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
@@ -139,6 +139,18 @@
<p>Most sites choose this option over the non script aliased CGI
approach.</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="dynamic" id="dynamic">Other sources of dynamic content</a></h2>
+
+
+
+ <p>
+ Embedded scripting options which run as part of the server itself,
+ such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
+ identify of the server itself, (see the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive) and therefore
+ scripts executed by these engines potentially can access anything the
+ server user can. some scripting engines may provide restrictions, but
+ it is better to be safe and assume not.</p>
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="systemsettings" id="systemsettings">Protecting System Settings</a></h2>
1.2 +16 -1 httpd-2.0/docs/manual/misc/security_tips.xml
Index: security_tips.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/misc/security_tips.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- security_tips.xml 23 Aug 2002 21:02:16 -0000 1.1
+++ security_tips.xml 7 Nov 2002 03:03:33 -0000 1.2
@@ -124,7 +124,7 @@
<a href="http://cgiwrap.unixtools.org/">CGIWrap</a>.</p>
</section>
-
+
<section id="nsaliasedcgi">
<title>Non Script Aliased CGI</title>
@@ -155,6 +155,21 @@
<p>Most sites choose this option over the non script aliased CGI
approach.</p>
+ </section>
+
+ <section id="dynamic">
+
+ <title>Other sources of dynamic content</title>
+
+ <p>
+ Embedded scripting options which run as part of the server itself,
+ such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
+ identify of the server itself, (see the <directive
+ module="mpm_common">User</directive> directive) and therefore
+ scripts executed by these engines potentially can access anything the
+ server user can. some scripting engines may provide restrictions, but
+ it is better to be safe and assume not.</p>
+
</section>
<section id="systemsettings">
Re: cvs commit: httpd-2.0/docs/manual/misc
security_tips.html.ensecurity_tips.xml
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Joshua Slive wrote:
>
> > + Embedded scripting options which run as part of the server itself,
> > + such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
> > + identify of the server itself, (see the <directive
>
> "identity" rather than "identify"
that was corrected in the irc discussion, but rich missed it. :-)
> > + module="mpm_common">User</directive> directive) and therefore
parenthetical clauses precede commas rather than follow them. move the
comma from 'itself, (see..) and' to 'itself (see..), and'.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/manual/misc security_tips.html.en
security_tips.xml
Posted by Joshua Slive <jo...@slive.ca>.
> + Embedded scripting options which run as part of the server itself,
> + such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
> + identify of the server itself, (see the <directive
"identity" rather than "identify"
> + module="mpm_common">User</directive> directive) and therefore
> + scripts executed by these engines potentially can access anything the
> + server user can. some scripting engines may provide restrictions, but
Capital "s" on "some".
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org