![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fds%2Fdevshed-01.jpg)
![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fds%2Fdevshed-02.jpg)
/ 3
![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fcommon%2Fad-top.gif)
![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fcommon%2Fad-bottom.gif)
![[image]](http://mowser.com/img?url=http%3A%2F%2Fwww.devshed.com%2Fimages%2Ffrontpage%2Fspacer.gif)
![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fcmn%2Fdevshed_2.png "DevShed News: Getting Started with Apache")
![[image]](http://mowser.com/img?url=http%3A%2F%2Fimages.devshed.com%2Fcmn%2Fdevarticles_2.png "Dev Articles News: Installing PHP under Windows")
( Page 1 of 4 )
In this third part of a six-part series on Apache installation and configuration, you will learn how to set security-related permissions. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
Setting Apache Binary File Permissions
After creating the new user account your first impulse might be to assign ownership over the Apache installation to it. I see that often, but do not do it. For Apache to run on port 80, it must be started by the user root. Allowing any other account to have write access to the httpd binary would give that account privileges to execute anything as root.
This problem would occur, for example, if an attacker broke into the system. Work ing as the Apache user (httpd), he would be able to replace the httpd binary with something else and shut the web server down. The administrator, thinking the web server had crashed, would log in and attempt to start it again and would have fallen into the trap of executing a Trojan program.
That is why we make sure only root has write access:
# chown -R root:root /usr/local/apache
# find /usr/local/apache -type d | xargs chmod 755
# find /usr/local/apache -type f | xargs chmod 644
No reason exists why anyone else other than the root user should be able to read the Apache configuration or the logs:
# chmod -R go-r /usr/local/apache/conf
# chmod -R go-r /usr/local/apache/logs
Configuring Secure Defaults
Unless told otherwise, Apache will serve any file it can access. This is probably not what most people want; a configuration error could accidentally expose vital system files to anyone caring to look. To change this, we would deny access to the complete filesystem and then allow access to the document root only by placing the following directives in the httpd.conf configuration file:
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /var/www/htdocs>
Order Allow,Deny
Allow from all
</Directory>
![[image]](http://mowser.com/img?url=http%3A%2F%2Fwww.devshed.com%2Fimages%2Fspacer.gif)
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache
- Installing Apache
- Apache Installation and Configuration
- Apache Tapestry and Custom Components: DateI...
- Tapestry and AJAX: Autocompleter and InlineE...
- PropertySelection and IPropertySelectionMode...
- The DatePicker and Shell Components of Apach...
- Apache Tapestry: ASO and More Components
- Apache Tapestry and DirectLink, IoC and DI
- Making a CelebrityCollector with Apache Tape...
- Apache Tapestry and Listener Methods, Condit...
![[image]](http://mowser.com/img?url=http%3A%2F%2Fwww.devshed.com%2Fc%2Fa%2FApache%2FSetting-Permissions-in-Apache%2Fimages%2Fspacer.gif)
You are viewing a mobilized version of this site...
View original page here
