Apache 2 file privileges and modules

Filed under Uncategorized

File privileges

On Unix systems, the file and directory access privileges are crucial for security. If you let other people write files, that the root user also writes on or executes, then your root account could be compromised. For example, an attacker could modify the apache2ctl starting script and execute arbitrary code, next time the root user starts Apache. Someone with a write privilege on the log file directory could create a link to another file on the system, which will then be overwritten (if he overwrites /etc/passwd, nobody can login anymore). And if the log files itself are writable to non-root users, an attacker could cover his tracks. So important files, directories and its parents must be writable only by root, or the Apache user, respectively.
 

The following table shows which ownership and privileges the Apache files and directories should have. The ownership can be changed with the chown command, the privileges can be adjusted with the chmod command. Note, that the parent directories of these directories need to be modifiable only by root. All changes need to be performed in this order.

Subject

Ownership (user:group)

Privileges

Binary directory

root:root

755 (rwxr-xr-x)

Binary files, such as the httpd executable

root:root

511 (r-x–x–x)

Configuration directory and files

root:root

755 (rwxr-xr-x)

Log files and its directory

root:root

700 (rwx——)

Content files and directories

apache:apache

500 (r-x——)

Rails log and tmp directories and subdirectories

apache:apache

700 (rwx——)

 
Modules
Modules have to be chosen when compiling Apache, but, with the help of the mod_so module, they can be dynamically loaded or deactivated afterwards. It’s best to compile Apache with the required modules. You can use the following command to see which modules Apache has been compiled with, i.e. which are always activated:

# apache2 -l # or httpd -l

The following modules are a good basic:

  • Core, Http_core and Mpm_common: these are always needed
  • Prefork or Worker MPM: read the first part to learn more about them
  • Mod_alias, everything with mod_auth…, Mod_log_config, Mod_mime, Mod_negotiation, Mod_setenvif: see the Apache documentation for more on these modules.
  • These are extensions, but you need them Mod_rewrite (if you use FastCGI, for example), Mod_so (to load modules dynamically)
  • you can generally disable these: Mod_cgi, Mod_cgid, Mod_actions, Mod_env (for CGI scripts), Mod_dir, Mod_autoindex (directory listings!), Mod_info, Mod_status (they provide sensitive information!)

To be continued…