Re: Apache Security Issue: File Access

From: Deep Gray (deepgray@earthlink.net)
Date: 01/23/02

  • Next message: Roger Marquis: "Re: Microsoft finally acknowledges the security drumbeats" 

    From: Deep Gray <deepgray@earthlink.net>
Date: Wed, 23 Jan 2002 00:14:41 GMT

    Stettler Christian wrote:

    > Hi,
    > I just recognized that with Apache configured for VirtualHosts, any user can
    > access other users file via a CGI or ASP script, they even are able to read
    > system files. The system I'm using seems to be considered on security, so
    > I'm wondering if there is any way to solve this problem so that:
    >
    > - no one can access an other users apache root directory (e.g./home/user1)
    > - no one can ready files using a file system call in CGI or ASP
    > - every one can execute CGI / ASp scripts in the specified directory within
    > the users directory (e.g. /home/user1/www/cgi-bin/)
    >
    > Do you know of this problem? is suexec a possible solution? any experience
    > with suexec?
    >
    > thanx for helping
    >
    > christian
    >

    Start by running apache as an extremly unpriveledged user and group if
    you have not already done so. You can effectively accomplish this by
    adding this to the top of your httpd.conf file:

    User nobody
    Group nobody

    Then set your file and directory permissions accordingly. Remember that
    if you deny eXecutable permission to any directory in a directory tree,
    every subdirectory inside it and beyond (including what symlinks point
    to) is also denied by default. So it may be a good idea to deny all
    permissions to /etc and other sensitive areas to "every one else".

    Second, you may want to think about turning off the "follow symlink"
    option in your httpd.conf file as well. This can be accomplished by setting:

    Options -FollowSymLinks

    If you forget the minus (-) sign, you will turn off all options except
    FollowSymLinks.

    The only other suggestion I would know to offer is to use the apachectl
    command for testing your config file:

    apachectl configtest

    I use it all the time to make sure that I did not do something stupid.

    As far as suEXEC goes, I do not have experience with it. I believe that
    it is mostly used for forcing CGI scripts to run in a secure environment
    or not run at all. But here is what it checks for:

    ###

    Does the target program name have a / or .. in the path?

    Does the user who owns the target script exist on the system?

    Does the group this user belons to exist?

    Is the user not the superuser?

    Is the user ID above the minimum ID number specified in suexec.h?
    (higher number = less power)?

    Is the user's grup not the superuser's group?

    Is the group ID above the minimum group ID set in suexec.h?

    Is the directory below the server's document root or if for a UserDir,

    Is the directory below teh user's document root?

    Is this directory not writable by any one else?

    Does the target script exist?

    Is it only writable by owner?

    Is the target program not setuid or setgid?

    Is the target user the owner of the script?

    ###

    If any of these checks fail, the script will not be executed.

    I hope I helped a little bit...I am actually very new with Apache and
    have a lot to learn. I picked up "Apache: The Definitive Guide" by
    O'Reilly and it is pretty good (actually, it's the worse O'Reilly book I
    have ever read which puts it at about the Demi-God level compared to
    other books).

    If any one has anything to add or correct (besides my spelling), please
    do. Thanx and good luck.

    Relevant Pages

    • Re: dynamic lib ignored even after "found" in "install_driver(Oracle) failed: Cant load..." cgi prob
      ... the solution i found is this: i moved the directory containing libclntsh.so under /usr/lib, which is a location that apache seems to trust, as opposed to where i had originally placed this directory. ... so, if i knew then what i know now, here are the steps _I_ would use were i to install the oracle instantclient such that the DBD::Oracle module would work when used in an apache 2.0 CGI: ... i also could run it this way by placing tnsnames.ora in my home directory as .tnsnames.ora, but this location will do me no good when i want apache to run the script as a cgi. ... am i missing some sort of configuration detail regarding apache and permissions granted a cgi? ...
      (perl.dbi.users)
    • Re: Rivet and snit....
      ... You will need to set up Apache to make sure your directories are ready ... to execute CGI (if you plan to say turn your welcome page into a CGI ... script to generate the page). ... indicate it's intent - then process it as a form submission script. ...
      (comp.lang.tcl)
    • Re: PHP and MySQL passwords
      ... I'll assume your on a linux system with apache as your webserver. ... If it is shared is PHP running as a module or cgi? ... If you code the user/pass in a file anyone with an account on the ... file either by reading it directly or by writing a script to read it. ...
      (alt.php)
    • Re: Help getting Perl/CGI running on OS X localhost with apache
      ... >>shtml = SSI, not CGI ... you can call a script using SSI directives. ... http://localhost/ your document root is /users/peter/Sites. ... Normally Apache set up questions should be asked in an Apache related ...
      (comp.lang.perl.misc)
    • Cant setup mod_perl and DBD::Sybase
      ... I've been using DBD::Sybase with CGI scripts. ... I thought that perhaps I needed to set up $SYBASE from Apache, ... The fact is that if I call the perl script from a shell script and then ... Director de Sistemas de Información ...
      (perl.dbi.users)