You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by Dean Gaudet <dg...@hyperreal.com> on 1997/03/17 00:34:04 UTC
cvs commit: apache/htdocs/manual/mod core.html mod_userdir.html
dgaudet 97/03/16 15:34:03
Modified: htdocs/manual/misc security_tips.html
htdocs/manual/mod core.html mod_userdir.html
Log:
Add security notes about protecting /, and avoiding "UserDir ./".
Submitted by: Ken Coar
Revision Changes Path
1.6 +73 -4 apache/htdocs/manual/misc/security_tips.html
Index: security_tips.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -C3 -r1.5 -r1.6
*** security_tips.html 1997/02/03 01:40:50 1.5
--- security_tips.html 1997/03/16 23:34:01 1.6
***************
*** 1,17 ****
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
! <TITLE>Apache HTTP Server Documentation</TITLE>
</HEAD>
<BODY>
<!--#include virtual="header.html" -->
! <H1>Security tips for server configuration</H1>
<hr>
<P>Some hints and tips on security issues in setting up a web server. Some of
! the suggestions will be general, other, specific to Apache
<HR>
--- 1,17 ----
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
! <TITLE>Apache HTTP Server: Security Tips</TITLE>
</HEAD>
<BODY>
<!--#include virtual="header.html" -->
! <H1>Security Tips for Server Configuration</H1>
<hr>
<P>Some hints and tips on security issues in setting up a web server. Some of
! the suggestions will be general, others specific to Apache.
<HR>
***************
*** 21,27 ****
<a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
has write permission for the directory where any log files are
being written to can append pseudo-arbitrary data to any file on the
! system which is writable to the user who starts Apache. Since the
server is normally started by root, you should <EM>NOT</EM> give anyone
write permission to the directory where logs are stored unless you
want them to have root access.
--- 21,27 ----
<a href="../mod/core.html#user"><b>User</b></a> directive. Anyone who
has write permission for the directory where any log files are
being written to can append pseudo-arbitrary data to any file on the
! system which is writable by the user who starts Apache. Since the
server is normally started by root, you should <EM>NOT</EM> give anyone
write permission to the directory where logs are stored unless you
want them to have root access.
***************
*** 95,100 ****
--- 95,169 ----
This stops all overrides, Includes and accesses in all directories apart
from those named.<p>
+ <HR>
+ <H2>
+ Protect server files by default
+ </H2>
+ <P>
+ One aspect of Apache which is occasionally misunderstood is the feature
+ of default access. That is, unless you take steps to change it, if the
+ server can find its way to a file through normal URL mapping rules, it
+ can serve it to clients.
+ </P>
+ <P>
+ For instance, consider the following example:
+ </P>
+ <OL>
+ <LI><SAMP># cd /; ln -s / public_html</SAMP>
+ </LI>
+ <LI>Accessing <SAMP>http://localhost/~root/</SAMP>
+ </LI>
+ </OL>
+ <P>
+ This would allow clients to walk through the entire filesystem. To work
+ around this, add the following block to your server's configuration:
+ </P>
+ <PRE>
+ <Directory />
+ Order deny,allow
+ Deny from all
+ </Directory>
+ </PRE>
+ <P>
+ This will forbid default access to filesystem locations. Add
+ appropriate
+ <A
+ HREF="../mod/core.html#directory"
+ ><SAMP><Directory></SAMP></A>
+ blocks to allow access only
+ in those areas you wish. For example,
+ </P>
+ <PRE>
+ <Directory /usr/users/*/public_html>
+ Order deny,allow
+ Allow from all
+ </Directory>
+ <Directory /usr/local/httpd>
+ Order deny,allow
+ Allow from all
+ </Directory>
+ </PRE>
+ <P>
+ Pay particular attention to the interactions of
+ <A
+ HREF="../mod/core.html#location"
+ ><SAMP><Location></SAMP></A>
+ and
+ <A
+ HREF="../mod/core.html#directory"
+ ><SAMP><Directory></SAMP></A>
+ directives; for instance, even if <SAMP><Directory /></SAMP>
+ denies access, a <SAMP><Location /></SAMP> directive might
+ overturn it.
+ </P>
+ <P>
+ Also be wary of playing games with the
+ <A
+ HREF="../mod/mod_userdir.html#userdir"
+ >UserDir</A>
+ directive; setting it to something like <SAMP>"./"</SAMP>
+ would have the same effect, for root, as the first example above.
+ </P>
<HR>
<P>Please send any other useful security tips to
1.39 +24 -0 apache/htdocs/manual/mod/core.html
Index: core.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -C3 -r1.38 -r1.39
*** core.html 1997/02/23 00:42:33 1.38
--- core.html 1997/03/16 23:34:02 1.39
***************
*** 315,320 ****
--- 315,344 ----
<li>Apply any FileInfo directives in <code>/home/web/.htaccess</code>
</menu>
+ <P>
+ <STRONG>
+ Note that the default Apache access for <Directory /> is
+ <SAMP>Allow from All</SAMP>. This means that Apache will serve any file
+ mapped from an URL. It is recommended that you change this with a block
+ such as
+ </STRONG>
+ <PRE>
+ <Directory />
+ Order Deny,Allow
+ Deny from All
+ </Directory>
+ </PRE>
+ <P>
+ <STRONG>
+ and then override this for directories you <EM>want</EM> accessible.
+ See the
+ <A
+ HREF="../misc/security_tips.html"
+ >Security Tips</A>
+ page for more details.
+ </STRONG>
+ </P>
+
The directory sections typically occur in the access.conf file, but they
may appear in any configuration file. <Directory> directives cannot
nest, and cannot appear in a <A HREF="#limit"><Limit></A> section.
1.5 +17 -0 apache/htdocs/manual/mod/mod_userdir.html
Index: mod_userdir.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_userdir.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -C3 -r1.4 -r1.5
*** mod_userdir.html 1997/02/25 03:57:48 1.4
--- mod_userdir.html 1997/03/16 23:34:02 1.5
***************
*** 46,51 ****
--- 46,68 ----
UserDir http://www.foo.com/~*/ -> http://www.foo.com/~bob/one/two.html
</pre>
+ <P>
+ <STRONG>
+ Be careful when using this directive; for instance, <SAMP>"UserDir
+ ./"</SAMP> would map <SAMP>"/~root"</SAMP> to
+ <SAMP>"/"</SAMP> - which is probably undesirable. See also
+ the
+ <A
+ HREF="core.html#directory"
+ ><Directory></A>
+ directive and the
+ <A
+ HREF="../misc/security_tips.html"
+ >Security Tips</A>
+ page for more information.
+ </STRONG>
+ </P>
+
<!--#include virtual="footer.html" -->
</BODY>
</HTML>