Pitfalls abound and security holes can be multitudinous. (that
sound scary enough? LOL)
The Apache server generally is run by root. The User
directive is used from there to set "who" serves up content.
Running the server as a user other than root can (will) cause
problems... in your case mod_admin (and mod_proxy if you use it) will
choke, so you're probably better off as is. Just make sure the User
directive is used properly. There are some basic tenants to follow ,
however, to 'help' reduce security incidents.
Disallow user created .htaccess lists (if you have users on
the server, that is).
Don't allow them (anyone. user or cracker) to get to the
filesystem (root and the daemon still have access).
Disallow access to root "userdir" by anyone (the actual
server still has access, just not anything served up)
Add the following to the server config file if you have
users.
<Directory />
AllowOverride None
Options None
AllowOverride None
Options None
allow from
all
</Directory>
<Directory />
Order
deny,allow
Deny from
all
</Directory>
</Directory>
UserDir disabled root
(I haven't
decided if the allow and deny cancel out...
also be sure
to look for <Location />'s that might circumvent
this)
Make sure no one but root can right to the serverroot directories
(an their parents!).
This includes bin, conf, logs, the apache directory, etc.
You can then open up permissions for individual users on their
directories.
If your logs dir is open for writing, a decent script kiddie can
gain UID 0 or, at the very least, cause some havoc. A true cracker
could own the system fairly quickly.
You're not allowing users to execute CGI, but I'll include this
in case someone else is following this thread.
When allowing CGI, consider using (and enforcing the use
of) CGIwrap
(http://wwwcgi.umr.edu/~cgiwrap/). If users are not
executing CGI (or you have them using aliasing), tighten up
permissions on the server's CGI area as tight as you can. And always
-check your code- CGI exploits are the easiest to pull off by
far.
All my Perl script CGIs which are visible for human consumption
contain something like this:
use
CGI::Carp 'fatalsToBrowser';
##################### DDoS Band-Aid
############################
$CGI::POST_MAX=1024 * 100; # maximum of 100k
posts
$CGI::DISABLE_UPLOADS = 1; # no uploads
allowed
##################### ### script kiddie defense
################
## Calls
must originate "here" (yourdomain.com).
if
(($ENV{'HTTP_REFERER'}) && ($ENV{'HTTP_REFERER'} !~
/^http:\/\/YourDomain.com/)) {
print
header;
print
start_html('ERROR'),h1('Outside connections are not
allowed')
print
end_html;
exit 0;
}
#####################
exit 0;
}
#####################
That's way more than I intended to write and there's plenty
more... unfortunately.
And always in touch at
http://httpd.apache.org/bug_report.html =D
Good luck with this and keep your fingers crossed. :) Now... to
catch up on all
this linuxchix mail I haven't read... hehe this one just caught
my eye.
Maggie
Message: 1
Date: Fri, 6 Apr 2001 12:51:51 -0700 (PDT)
From: Seageraves Caren <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [techtalk] Running Apache as Root.
<snipped>
--
