You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Greene Paul <gr...@bah.com> on 2002/02/15 23:08:55 UTC
Apache security
I'm new to Apache and just starting to dive into it, on both Linux and
OpenBSD platforms.
A few quick questions about Apache security;
Is there a way to configure the following requirements regarding
passwords?
-minimum password lengths (i.e. at least 8 characters)
-enforce password complexity requirements (mix of alpha-numeric
characters, plus special characters)
-expiration dates (i.e. "expire after 90 days")
-can users change their own passwords using htpasswd, through a web
interface (i.e. they don't have command shell access to the htpasswd
binary)
The files access_log, error_log, .htpasswd, and httpd.conf, all come
with default permissions of 644; can they be changed to 600 or 640
without breaking anything?
Thanks
Paul Greene
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache security
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 15 Feb 2002, Greene Paul wrote:
> Is there a way to configure the following requirements regarding
> passwords?
>
> -minimum password lengths (i.e. at least 8 characters)
> -enforce password complexity requirements (mix of alpha-numeric
> characters, plus special characters)
> -expiration dates (i.e. "expire after 90 days")
> -can users change their own passwords using htpasswd, through a web
> interface (i.e. they don't have command shell access to the htpasswd
> binary)
Apache provides no interface for changing or managing passwords other than
the basic command line tools. However, it uses a very standard format so
that you can easily use perl or whatever language you want to implement a
web-based system that has all these characteristics.
>
> The files access_log, error_log, .htpasswd, and httpd.conf, all come
> with default permissions of 644; can they be changed to 600 or 640
> without breaking anything?
Should be no problem, assuming you are running apache as root; except for
.htpasswd which I believe must be readable by the User/Group mentioned in
httpd.conf.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Running Apache with root
Posted by jon <jo...@divisionbyzero.com>.
On Sun, 2002-02-17 at 13:12, Csillag Zsolt wrote:
> The only thing I asked for is how to run apache as root :-)
> (maybe you misunderstood the question)
the short version is "You can't". You need to write a suid wrapper for
your script, since most scripts can't be setuid.
-jon
--
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."
Uploaded Files Executable?
Posted by Al Andersen <ap...@viajante.com>.
I'm using Apache 1.3.23, Linux, and PHP to handle my web content. I provide
links on some of my web pages for users to download files.
My problem is PHP files. If a user clicks on the link, the PHP file is
executed, even though the actual file is stored outside of the document root.
For example, a file containing <?php phpinfo(); ?> will execute if offered up
on the web page as link and clicked on.
What do I need to do to prevent this?
-Al Andersen
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Running Apache with root
Posted by Csillag Zsolt <st...@interware.hu>.
Hi,
The only thing I asked for is how to run apache as root :-)
(maybe you misunderstood the question)
I only explained briefly,why I need this information.
Thank you
Zsolt Csillag
Hungary
At 18:30 2002.02.17. +0700, you wrote:
>On Sun, 17 Feb 2002, Csillag Zsolt <st...@interware.hu> wrote,
>
> >
> > Hi!
> >
> > I'm developing a cgi application. I don't want to tell the whole story, in
> > brief the
> > cgi works from command line and not from the web browser.
> >
> > I've tried everything, my last try is to run Apache with root (currently is
> > running with wwwrun user)
> >
> > I use Suse 7.1
> >
> > Can you help me?
>
>Well, no, unless you tell us what's the error. The browser may tell you the
>error, but the error log will tell more for sure.
>
>
>--
>san->http(www.trabas.com)
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Running Apache with root
Posted by bg...@wheatonma.edu.
I ran into this as well, I have a script that I needed to run as root
from apache. By default the version of apache I use runs as the user apache and
I tried running i as root but there are issues when doing so. The way I got
around this was I kept running apache as the user apache. I then enabled rsh
on the server only from the user "apache" and only from the machine "localhost".
( I am using RedHat which uses xinetd.d instead of inetd. I am not sure which
Suse uses.) To enable rsh to root as the user apache I edited roots .rhosts
file and I added the line
127.0.0.1 apache
I then had to add the line
rsh
to the file
/etc/securetty
I then had to edit /etc/xinetd.d/rsh to enable rsh then restart xinetd by
running
service xinetd restart
I think in Suse you will have to edit /etc/inetd.conf and run
service inetd restart ( not sure ).
Anyway, from the perl script that I was running from the web browser I made a
system call out to another script but I did it through rsh, like this
system("rsh -l root localhost /var/www/cgi-bin/scriptname");
I think that is pretty much all I had to do. Be careful and test that rsh
works only from localhost and only as the user "apache". Also, if you want to
pass any parameters to the new script you are running as root be careful. If
it is sensative information ( like a user's password in my case ) the rsh line
you run appears in a log file, I believe it was either
/var/log/messages or /var/log/httpd/access_log
I ended up writing the info I wanted to pass to a file and handed that filename
to the new script then the new script retrieved the data and deleted the file.
Apache does let you run as what is called "suexec" but I read in the their
documentation that it will not let you do so as root at this time ( I bet they
are worried about being hacked. ) Make sure the script are going to run is
torture tested so it cannot be hacked. If so you are letting a potential
unknown user run a script as root.
Quoting Csillag Zsolt <st...@interware.hu>:
>
> Hi!
>
> I'm developing a cgi application. I don't want to tell the whole story,
> in
> brief the
> cgi works from command line and not from the web browser.
>
> I've tried everything, my last try is to run Apache with root (currently
> is
> running with wwwrun user)
>
> I use Suse 7.1
>
> Can you help me?
>
> When I modify httpd.conf to root I get an error message.
>
> Please write me in detail since I'm relative new to Linux.
>
> Thank you in advance
>
> Zsolt Csillag
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Running Apache with root
Posted by Hasanuddin Tamir <sa...@trabas.com>.
On Sun, 17 Feb 2002, Csillag Zsolt <st...@interware.hu> wrote,
>
> Hi!
>
> I'm developing a cgi application. I don't want to tell the whole story, in
> brief the
> cgi works from command line and not from the web browser.
>
> I've tried everything, my last try is to run Apache with root (currently is
> running with wwwrun user)
>
> I use Suse 7.1
>
> Can you help me?
Well, no, unless you tell us what's the error. The browser may tell you the
error, but the error log will tell more for sure.
--
san->http(www.trabas.com)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Running Apache with root
Posted by Csillag Zsolt <st...@interware.hu>.
Hi!
I'm developing a cgi application. I don't want to tell the whole story, in
brief the
cgi works from command line and not from the web browser.
I've tried everything, my last try is to run Apache with root (currently is
running with wwwrun user)
I use Suse 7.1
Can you help me?
When I modify httpd.conf to root I get an error message.
Please write me in detail since I'm relative new to Linux.
Thank you in advance
Zsolt Csillag
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org