1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
4<html xmlns="http://www.w3.org/1999/xhtml">
5  <head>
6    <meta name="generator" content="HTML Tidy, see www.w3.org" />
7
8    <title>Apache HTTP Server: Security Tips</title>
9  </head>
10  <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
11
12  <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
13  vlink="#000080" alink="#FF0000">
14        <div align="CENTER">
15      <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
16
17      <h3>Apache HTTP Server Version 1.3</h3>
18    </div>
19
20
21    <h1 align="CENTER">Security Tips for Server Configuration</h1>
22
23    <ul>
24      <li><a href="#serverroot">Permissions on ServerRoot
25      Directories</a></li>
26
27      <li><a href="#ssi">Server Side Includes</a></li>
28
29      <li><a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>
30
31      <li><a href="#saliasedcgi">Script Aliased CGI</a></li>
32
33      <li><a href="#cgi">CGI in General</a></li>
34
35      <li><a href="#dynamic">Other sources of dynamic content</a></li>
36
37      <li><a href="#systemsettings">Protecting System
38      Settings</a></li>
39
40      <li><a href="#protectserverfiles">Protect Server Files by
41      Default</a></li>
42    </ul>
43    <hr />
44
45    <p>Some hints and tips on security issues in setting up a web
46    server. Some of the suggestions will be general, others
47    specific to Apache.</p>
48    <hr />
49
50    <h2><a id="serverroot" name="serverroot">Permissions on
51    ServerRoot Directories</a></h2>
52
53    <p>In typical operation, Apache is started by the root user,
54    and it switches to the user defined by the <a
55    href="../mod/core.html#user"><strong>User</strong></a>
56    directive to serve hits. As is the case with any command that
57    root executes, you must take care that it is protected from
58    modification by non-root users. Not only must the files
59    themselves be writeable only by root, but also the
60    directories and parents of all directories. For example, if
61    you choose to place ServerRoot in
62    <code>/usr/local/apache</code> then it is suggested that you
63    create that directory as root, with commands like these:</p>
64
65    <blockquote>
66<pre>
67    mkdir /usr/local/apache
68    cd /usr/local/apache
69    mkdir bin conf logs
70    chown 0 . bin conf logs
71    chgrp 0 . bin conf logs
72    chmod 755 . bin conf logs
73</pre>
74    </blockquote>
75    It is assumed that /, /usr, and /usr/local are only modifiable
76    by root. When you install the httpd executable, you should
77    ensure that it is similarly protected:
78
79    <blockquote>
80<pre>
81    cp httpd /usr/local/apache/bin
82    chown 0 /usr/local/apache/bin/httpd
83    chgrp 0 /usr/local/apache/bin/httpd
84    chmod 511 /usr/local/apache/bin/httpd
85</pre>
86    </blockquote>
87
88    <p>You can create an htdocs subdirectory which is modifiable by
89    other users -- since root never executes any files out of
90    there, and shouldn't be creating files in there.</p>
91
92    <p>If you allow non-root users to modify any files that root
93    either executes or writes on then you open your system to root
94    compromises. For example, someone could replace the httpd
95    binary so that the next time you start it, it will execute some
96    arbitrary code. If the logs directory is writeable (by a
97    non-root user), someone could replace a log file with a symlink
98    to some other system file, and then root might overwrite that
99    file with arbitrary data. If the log files themselves are
100    writeable (by a non-root user), then someone may be able to
101    overwrite the log itself with bogus data.</p>
102    <hr />
103
104    <h2><a id="ssi" name="ssi">Server Side Includes</a></h2>
105
106    <p>Server Side Includes (SSI) present a server administrator
107    with several potential security risks.</p>
108
109    <p>The first risk is the increased load on the server. All
110    SSI-enabled files have to be parsed by Apache, whether or not
111    there are any SSI directives included within the files. While
112    this load increase is minor, in a shared server environment it
113    can become significant.</p>
114
115    <p>SSI files also pose the same risks that are associated with
116    CGI scripts in general. Using the "exec cmd" element,
117    SSI-enabled files can execute any CGI script or program under
118    the permissions of the user and group Apache runs as, as
119    configured in httpd.conf. That should definitely give server
120    administrators pause.</p>
121
122    <p>There are ways to enhance the security of SSI files while
123    still taking advantage of the benefits they provide.</p>
124
125    <p>To isolate the damage a wayward SSI file can cause, a server
126    administrator can enable <a
127    href="../suexec.html">suexec</a> as described in the <a
128    href="#cgi">CGI in General</a> section.</p>
129
130    <p>Enabling SSI for files with .html or .htm extensions can be
131    dangerous. This is especially true in a shared, or high
132    traffic, server environment. SSI-enabled files should have a
133    separate extension, such as the conventional .shtml. This helps
134    keep server load at a minimum and allows for easier management
135    of risk.</p>
136
137    <p>Another solution is to disable the ability to run scripts
138    and programs from SSI pages. To do this, replace
139    <code>Includes</code> with <code>IncludesNOEXEC</code> in the
140    <a href="../mod/core.html#options">Options</a> directive. Note
141    that users may still use &lt;--#include virtual="..." --&gt; to
142    execute CGI scripts if these scripts are in directories
143    designated by a <a
144    href="../mod/mod_alias.html#scriptalias">ScriptAlias</a>
145    directive.</p>
146    <hr />
147
148    <h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased
149    CGI</a></h2>
150
151    <p>Allowing users to execute <strong>CGI</strong> scripts in
152    any directory should only be considered if;</p>
153
154    <ol>
155      <li>You trust your users not to write scripts which will
156      deliberately or accidentally expose your system to an
157      attack.</li>
158
159      <li>You consider security at your site to be so feeble in
160      other areas, as to make one more potential hole
161      irrelevant.</li>
162
163      <li>You have no users, and nobody ever visits your
164      server.</li>
165    </ol>
166    <hr />
167
168    <h2><a id="saliasedcgi" name="saliasedcgi">Script Aliased
169    CGI</a></h2>
170
171    <p>Limiting <strong>CGI</strong> to special directories gives
172    the admin control over what goes into those directories. This
173    is inevitably more secure than non script aliased CGI, but
174    <strong>only if users with write access to the directories are
175    trusted</strong> or the admin is willing to test each new CGI
176    script/program for potential security holes.</p>
177
178    <p>Most sites choose this option over the non script aliased
179    CGI approach.</p>
180    <hr />
181
182    <h2><a id="cgi" name="cgi">CGI in General</a></h2>
183
184    <p>Always remember that you must trust the writers of the CGI
185    script/programs or your ability to spot potential security
186    holes in CGI, whether they were deliberate or accidental.</p>
187
188    <p>All the CGI scripts will run as the same user, so they have
189    potential to conflict (accidentally or deliberately) with other
190    scripts <em>e.g.</em> User A hates User B, so he writes a
191    script to trash User B's CGI database. One program which can be
192    used to allow scripts to run as different users is <a
193    href="../suexec.html">suEXEC</a> which is included with Apache
194    as of 1.2 and is called from special hooks in the Apache server
195    code. Another popular way of doing this is with <a
196    href="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</a>.</p>
197    <hr />
198
199    <h2><a id="dynamic" name="dynamic">Other sources of dynamic
200    content</a></h2>
201
202<p>Embedded scripting options which run as part of the server itself, such
203as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of
204the server itself (see the <a href="../mod/core.html#user">User</a>
205directive), and therefore scripts executed by these engines
206potentially can access anything the server user can. Some scripting
207engines may provide restrictions, but it is better to be safe and assume
208not.</p>
209<hr />
210
211    <h2><a id="systemsettings" name="systemsettings">Protecting
212    System Settings</a></h2>
213
214    <p>To run a really tight ship, you'll want to stop users from
215    setting up <code>.htaccess</code> files which can override
216    security features you've configured. Here's one way to do
217    it.</p>
218
219    <p>In the server configuration file, put</p>
220
221    <blockquote>
222      <code>&lt;Directory /&gt;<br />
223       AllowOverride None<br />
224       &lt;/Directory&gt;<br />
225      </code>
226    </blockquote>
227
228    <p>This prevents the use of <code>.htaccess</code> files in all
229    directories apart from those specifically enabled.</p>
230    <hr />
231
232    <h2><a id="protectserverfiles"
233    name="protectserverfiles">Protect Server Files by
234    Default</a></h2>
235
236    <p>One aspect of Apache which is occasionally misunderstood is
237    the feature of default access. That is, unless you take steps
238    to change it, if the server can find its way to a file through
239    normal URL mapping rules, it can serve it to clients.</p>
240
241    <p>For instance, consider the following example:</p>
242
243    <ol>
244      <li><samp># cd /; ln -s / public_html</samp></li>
245
246      <li>Accessing <samp>http://localhost/~root/</samp></li>
247    </ol>
248
249    <p>This would allow clients to walk through the entire
250    filesystem. To work around this, add the following block to
251    your server's configuration:</p>
252<pre>
253 &lt;Directory /&gt;
254     Order Deny,Allow
255     Deny from all
256 &lt;/Directory&gt;
257</pre>
258
259    <p>This will forbid default access to filesystem locations. Add
260    appropriate <a
261    href="../mod/core.html#directory"><samp>&lt;Directory&gt;</samp></a>
262    blocks to allow access only in those areas you wish. For
263    example,</p>
264<pre>
265 &lt;Directory /usr/users/*/public_html&gt;
266     Order Deny,Allow
267     Allow from all
268 &lt;/Directory&gt;
269 &lt;Directory /usr/local/httpd&gt;
270     Order Deny,Allow
271     Allow from all
272 &lt;/Directory&gt;
273</pre>
274
275    <p>Pay particular attention to the interactions of <a
276    href="../mod/core.html#location"><samp>&lt;Location&gt;</samp></a>
277    and <a
278    href="../mod/core.html#directory"><samp>&lt;Directory&gt;</samp></a>
279    directives; for instance, even if <samp>&lt;Directory
280    /&gt;</samp> denies access, a <samp>&lt;Location /&gt;</samp>
281    directive might overturn it.</p>
282
283    <p>Also be wary of playing games with the <a
284    href="../mod/mod_userdir.html#userdir">UserDir</a> directive;
285    setting it to something like <samp>"./"</samp> would have the
286    same effect, for root, as the first example above. If you are
287    using Apache 1.3 or above, we strongly recommend that you
288    include the following line in your server configuration
289    files:</p>
290
291    <dl>
292      <dd><samp>UserDir&nbsp;disabled&nbsp;root</samp></dd>
293    </dl>
294    <hr />
295
296    <p>Please send any other useful security tips to The Apache
297    Group by filling out a <a
298    href="http://bugs.apache.org/">problem report</a>. If you are
299    confident you have found a security bug in the Apache source
300    code itself, <a
301    href="http://httpd.apache.org/bug_report.html">please let us
302    know</a>.</p>
303
304    <p>    <hr />
305
306    <h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
307    <a href="./"><img src="../images/index.gif" alt="Index" /></a>
308    <a href="../"><img src="../images/home.gif" alt="Home" /></a>
309</p>
310  </body>
311</html>
312
313