41.7 Avoiding Security Problems
A Web server exposed to the public Internet requires an ongoing
administrative effort. It is inevitable that security issues appear, both
related to the software and to accidental misconfiguration. Here are some
tips for how to deal with them.
41.7.1 Up-to-Date Software
If there are vulnerabilities found in the Apache software, a
security advisory will be issued by SUSE. It contains instructions
for fixing the vulnerabilities, which in turn should be applied soon as
possible. The SUSE security announcements are available from the
following locations:
41.7.2 DocumentRoot Permissions
By default in SUSE Linux Enterprise Server, the DocumentRoot
directory /srv/www/htdocs and the CGI directory
/srv/www/cgi-bin belong to the user and group
root. You should not change these permissions.
If the directories were writable for all, any user could place files
into them. These files might then be executed by Apache with the
permissions of wwwrun, which may give the user
unintended access to file system resources. Use subdirectories of
/srv/www to place the
DocumentRoot and CGI directories for your
virtual hosts and make sure that directories and files belong to user and
group root.
41.7.3 File System Access
By default, access to the whole file system is denied in
/etc/apache2/httpd.conf. You should never
overwrite these directives, but specifically enable access to all
directories Apache should be able to read (see
Basic Virtual Host Configuration
for details). In doing so, ensure that no critical files, such as
password or system configuration files, can be read from the outside.
41.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language
can essentially run arbitrary commands and therefore present a general
security issue. Scripts that will be executed from the server should
only be installed from sources the server administrator
trusts—allowing users to run their own scripts is generally not a
good idea. It is also recommended to do security audits for all
scripts.
To make the administration of scripts as easy as possible, it
is common practice to limit the execution of CGI scripts to specific
directories instead of globally allowing them. The directives
ScriptAlias and Option
ExecCGI are used for configuration. The SUSE Linux Enterprise Server
default configuration does not allow execution of CGI scripts from
everywhere.
All CGI scripts run as the same user, so different scripts
can potentially conflict with each other. The module suEXEC lets you
run CGI scripts under a different user and group.
41.7.5 User Directories
When enabling user directories (with mod_userdir or mod_rewrite)
you should strongly consider not allowing
.htaccess files, which would allow users to
overwrite security settings. At least you should limit the user's
engagement by using the directive
AllowOverRide. In SUSE Linux Enterprise Server,
.htaccess files are enabled by default, but the
user is not allowed to overwrite any Option
directives when using mod_userdir (see the
/etc/apache2/mod_userdir.conf configuration file).