28.7 Avoiding Security Problems
A Web server exposed to the public Internet requires an ongoing
administrative effort. It is inevitable that security issues appear, both
related to the software and to accidental misconfiguration. Here are some
tips for how to deal with them.
28.7.1 Up-to-Date Software
If there are vulnerabilities found in the Apache software, a security
advisory will be issued by SUSE. It contains instructions for fixing
the vulnerabilities, which in turn should be applied soon as possible.
The SUSE security announcements are available from the following
28.7.2 DocumentRoot Permissions
By default in
the DocumentRoot directory
/srv/www/htdocs and the CGI directory
/srv/www/cgi-bin belong to the user and group
root. You should not change these permissions.
If the directories were writable for all, any user could place files
into them. These files might then be executed by Apache with the
permissions of wwwrun, which may give the user
unintended access to file system resources. Use subdirectories of
/srv/www to place the
DocumentRoot and CGI directories for your
virtual hosts and make sure that directories and files belong to user
and group root.
28.7.3 File System Access
By default, access to the whole file system is denied in
/etc/apache2/httpd.conf. You should never overwrite
these directives, but specifically enable access to all directories
Apache should be able to read (see
Basic Virtual Host Configuration
for details). In doing so, ensure that no critical files, such as
password or system configuration files, can be read from the outside.
28.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language
can essentially run arbitrary commands and therefore present a general
security issue. Scripts that will be executed from the server should
only be installed from sources the server administrator
trusts—allowing users to run their own scripts is generally not a
good idea. It is also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it is common
practice to limit the execution of CGI scripts to specific directories
instead of globally allowing them. The directives
ScriptAlias and Option
ExecCGI are used for configuration. The
default configuration does not allow execution of CGI scripts from
All CGI scripts run as the same user, so different scripts can
potentially conflict with each other. The module suEXEC lets you run CGI
scripts under a different user and group.
28.7.5 User Directories
When enabling user directories (with mod_userdir or mod_rewrite) you
should strongly consider not allowing .htaccess
files, which would allow users to overwrite security settings. At least
you should limit the user's engagement by using the directive
.htaccess files are enabled by default, but the
user is not allowed to overwrite any Option
directives when using mod_userdir (see the
/etc/apache2/mod_userdir.conf configuration file).