You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Allan Liska <al...@allan.org> on 2001/09/16 21:14:50 UTC

Proposal for Improviing the Security Docs

Hello,

  As I mentioned earlier this week, I would like to try to improve the
  layout of the security docs.  I'd really like feedback from people
  on this list as to how in-depth the documents should go.  As an
  example, should we explain how to set permissions for optimal
  security in an Apache root directory?

  There is also the problem of duplication.  If we are going to
  discuss Server Side Includes we obviously have to mention
  mod_include, but should we also discuss access control using
  mod_access, or is that too much overlap?

  Finally, I would really like to see, at least links if not brief
  descriptions of Apache security exploits.  I know that information
  is available on the site, but I would assume people would go to the
  security section to get that information as well.
  
  I propose to start small, building on what is already at:

  http://httpd.apache.org/docs/misc/security_tips.html

  Then branch out.  The first iteration of this project would look
  something like this:

  Security Tips
        - General Configuration Tips
        - CGI
        - Server Side Includes
        - htaccess
        - Special Issues Relating to Virtual Hosting
        - Security tips for Windows (I'd need some help with this)
        - Security Bulletins

  General configuration tips would include things like not
  activating modules you are not going to use, setting up a directory
  structure, limiting directives to those that are going to be used,
  etc.

  CGI tips would include the tips already given, plus additional tips,
  like limiting where a CGI script can be accessed from, etc.

  SSI needs to include ways in which an administrator can limit SSI
  without taking away the functionality all together.  It should also
  include ways to make SSI scripts safer.

  Like SSI the htaccess section should discuss ways to limit the
  directive so that users can take advantage of it, without
  compromising the system.

  There are a lot of special issues related to Virtual Hosting...I
  don't think this section is the place to fully cover them.  I
  would like to highlight some of the biggest issues, and maybe
  include some pointers to off-site areas.

  Not sure what special issues are related to Microsoft Windows and
  Apache, but I would imagine simply the different nature of the file
  systems, etc, would create some differences in security
  precautions.  If I am wrong, please let me know.

  I'd really like feedback from everyone as to whether or not this is
  a good start...or if there should be more information included?

  Thanks!


  allan
--
allan
allan@allan.org
http://www.allan.org



---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org

Re: Proposal for Improviing the Security Docs

Posted by Rich Bowen <rb...@rcbowen.com>.
On Mon, 17 Sep 2001, Allan Liska wrote:

>
> Rich,
>
> Thanks for your comments, please see my answers in-line...
>
> On Mon, 17 Sep 2001, Rich Bowen wrote:
>
> > On Sun, 16 Sep 2001, Allan Liska wrote:
> >
> > > Hello,
> > >
> > >   As I mentioned earlier this week, I would like to try to improve the
> > >   layout of the security docs.  I'd really like feedback from people
> > >   on this list as to how in-depth the documents should go.  As an
> > >   example, should we explain how to set permissions for optimal
> > >   security in an Apache root directory?
> >
> > Yes. The documentation should be the one location where folks need to
> > look for information on how to run the Apache server. There are cases
> > where off-site links may be appropriate, but I tend to think that the
> > docs should be comprehensive.
> >
>
> Okay...that makes sense, so then explaining to people how to chmod and
> chroot is not outside the realm of this documentation?  Also, are there
> enough people on this list comfortable in their system security knowledge
> to review any documents presented, to ensure there are no errors...or
> really bad ideas :)?

oh, well, I don't think that the use of chmod and chroot needs be
covered. I did not think you meant going to that extreme.

> Another good point.  I don't know that it is something that even needs to
> be filled in, it is probably more appropriate just to put links to the
> existing sections, and let readers figure things out from the information
> in those documents.  If this doesn't make sense, maybe I should put
> together a sample document on something like Server Side Includes this
> week and submit it to the list so I can provide a more clear example?

Yes, submitting samples is a good place to start.
I'm looking forward to that.

-- 
Rich Bowen - rbowen@rcbowen.com
ReefKnot - http://www.reefknot.org


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org

RE: Proposal for Improviing the Security Docs

Posted by Joshua Slive <jo...@slive.ca>.

> -----Original Message-----
> From: Allan Liska [mailto:allan@allan.org]
> On Mon, 17 Sep 2001, Rich Bowen wrote:
> > Yes. The documentation should be the one location where folks need to
> > look for information on how to run the Apache server. There are cases
> > where off-site links may be appropriate, but I tend to think that the
> > docs should be comprehensive.
>
> Okay...that makes sense, so then explaining to people how to chmod and
> chroot is not outside the realm of this documentation?  Also, are there
> enough people on this list comfortable in their system security knowledge
> to review any documents presented, to ensure there are no errors...or
> really bad ideas :)?

I believe that explaining in detail how chmod works is out of scope.
Explaining what the permissions should be, and then including a brief
example of how to set them would be appropriate.  Information on where to go
to find out more on "the basics" might also be good; even directing people
to "man chmod" might be appropriate in some circumstances.

> Security experts, like most experts, rarely agree on anything :).  Some
> would say it is important to hide possible exploits to prevent people from
> using them, others would say the more information the better, as it
> protects administrators.  I am certainly not proposing that we publish
> scripts to help people take advantage of any exploits, but people ought to
> be aware.

My opinion is that a security doc should contain the following advice:
- When installing a new server, always use the most recent available stable
version.
- Subscribe to the announce@apache.org mailing list.  The Apache Server
Project will send information on any known security problems and version
upgrades to this list.
- Subscribe to the analagous list for your operating system vendor, and for
any third-party modules that you use.

In the past, there has been a document at
http://httpd.apache.org/info/known_bugs.html
listing the known bugs (including security-related ones) in each version.
This has not, unfortuantely, been kept up to date in the last years.  If
someone has time on their hands, it could be reconstructed by looking at the
Announcement file in CVS and at the CHANGES file and picking out the major
bugs in each version.

If you wanted to include links to a couple reliable security sites, that
might also be appropriate.

Joshua.


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org

Re: Proposal for Improviing the Security Docs

Posted by Allan Liska <al...@allan.org>.
Rich,

Thanks for your comments, please see my answers in-line...

On Mon, 17 Sep 2001, Rich Bowen wrote:

> On Sun, 16 Sep 2001, Allan Liska wrote:
>
> > Hello,
> >
> >   As I mentioned earlier this week, I would like to try to improve the
> >   layout of the security docs.  I'd really like feedback from people
> >   on this list as to how in-depth the documents should go.  As an
> >   example, should we explain how to set permissions for optimal
> >   security in an Apache root directory?
>
> Yes. The documentation should be the one location where folks need to
> look for information on how to run the Apache server. There are cases
> where off-site links may be appropriate, but I tend to think that the
> docs should be comprehensive.
>

Okay...that makes sense, so then explaining to people how to chmod and
chroot is not outside the realm of this documentation?  Also, are there
enough people on this list comfortable in their system security knowledge
to review any documents presented, to ensure there are no errors...or
really bad ideas :)?


> >   There is also the problem of duplication.  If we are going to
> >   discuss Server Side Includes we obviously have to mention
> >   mod_include, but should we also discuss access control using
> >   mod_access, or is that too much overlap?
>
> Because we have the docs in HTML, duplication should not be necessary.
> Fill in the additional detail in whichever doc it is appropriate, and
> provide links.
>


Another good point.  I don't know that it is something that even needs to
be filled in, it is probably more appropriate just to put links to the
existing sections, and let readers figure things out from the information
in those documents.  If this doesn't make sense, maybe I should put
together a sample document on something like Server Side Includes this
week and submit it to the list so I can provide a more clear example?


> >   Finally, I would really like to see, at least links if not brief
> >   descriptions of Apache security exploits.  I know that information
> >   is available on the site, but I would assume people would go to the
> >   security section to get that information as well.
>
> I'd be a little wary of this one. What is the reasoning behind this?
> It's almost as though you're providing a resource for folks that want to
> take advantage of the security exploits. You check on Netcraft ... Ah,
> they are running 1.3.9 ... tap tap tap ... Oh, look, there's a security
> exploit in 1.3.9 ... tap tap tap ... great, now I have root. Or
> whatever. Is this something that is generally recommended by security
> experts?
>
>

Security experts, like most experts, rarely agree on anything :).  Some
would say it is important to hide possible exploits to prevent people from
using them, others would say the more information the better, as it
protects administrators.  I am certainly not proposing that we publish
scripts to help people take advantage of any exploits, but people ought to
be aware.

To see the type of postings I am talking about take a look at this link on
LinuxSecurity.com:

http://www.linuxsecurity.com/advisories/redhat_advisory-820.html

Apache has traditionally posted this type of information on its website as
well:

http://httpd.apache.org/info/security_bulletin_1.2.5.html

Of course Apache is such a stable and secure product that there are very
few security exploits to report.  There are exploits in various ports of
Apache though...again that returns to the question: If posting security
information is a good idea, should we post information about security
vulnerabilities in modified distributions?

Thanks again for the excellent comments from everyone.  I really
appreciate any feedback.


allan
-- 
Allan Liska
allan@allan.org
http://www.allan.org


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org

Re: Proposal for Improviing the Security Docs

Posted by Rich Bowen <rb...@rcbowen.com>.
On Sun, 16 Sep 2001, Allan Liska wrote:

> Hello,
>
>   As I mentioned earlier this week, I would like to try to improve the
>   layout of the security docs.  I'd really like feedback from people
>   on this list as to how in-depth the documents should go.  As an
>   example, should we explain how to set permissions for optimal
>   security in an Apache root directory?

Yes. The documentation should be the one location where folks need to
look for information on how to run the Apache server. There are cases
where off-site links may be appropriate, but I tend to think that the
docs should be comprehensive.

>   There is also the problem of duplication.  If we are going to
>   discuss Server Side Includes we obviously have to mention
>   mod_include, but should we also discuss access control using
>   mod_access, or is that too much overlap?

Because we have the docs in HTML, duplication should not be necessary.
Fill in the additional detail in whichever doc it is appropriate, and
provide links.

>   Finally, I would really like to see, at least links if not brief
>   descriptions of Apache security exploits.  I know that information
>   is available on the site, but I would assume people would go to the
>   security section to get that information as well.

I'd be a little wary of this one. What is the reasoning behind this?
It's almost as though you're providing a resource for folks that want to
take advantage of the security exploits. You check on Netcraft ... Ah,
they are running 1.3.9 ... tap tap tap ... Oh, look, there's a security
exploit in 1.3.9 ... tap tap tap ... great, now I have root. Or
whatever. Is this something that is generally recommended by security
experts?

-- 
Nothing is perfekt. Certainly not me.
Success to failure. Just a matter of degrees.


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org

Re: Proposal for Improviing the Security Docs

Posted by Rich Bowen <rb...@rcbowen.com>.
On Sun, 16 Sep 2001, Allan Liska wrote:

>   I'd really like feedback from everyone as to whether or not this is
>   a good start...or if there should be more information included?

This is a great start and a great idea. I would be glad to assist in
whatever capacity I can, particularly since I am just about to start
writing that portion of my book, and, as with the rest of the book, I am
learning so much while I am writing, and am attempting to give some of
that back into the docs.

I will be reading back through your note in the next day or so (I'm
finishing up something else right now) and get you additional feedback.

Thanks for this proposal.

-- 
HTML Writers Guild training classes
http://www.hwg.org/services/classes/


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org