Arch Linux

axel

Member

Registered: 2007-12-10

Posts: 77

Apache permissions

I just installed apache on my pc and noticed that /home/httpd has roor:root permissions. Well, I believe this isn't secure for my system since if someone will exploit my apache he will automatically gain root privileges to my system. Correct? So I am going to change the permissions of this folder to group: nobody and create a new user let's say httpd. Are there any other changes I have to make either to apache configuration or to php and mysql in order to work ok? If I upgrade apache when a new version comes out are there going to be any problems with the permissions changes?

Edit: I read httpd.conf and found out that when apache starts it switches to anybody:anybody

[*****@***** home]$ ps aux | grep httpd
root     24305  0.0  0.1   8092  3072 ?        Ss   00:05   0:00 /usr/sbin/httpd -k start
nobody   24307  0.0  0.1   8228  2768 ?        S    00:05   0:00 /usr/sbin/httpd -k start
nobody   24308  0.0  0.0   8092  2000 ?        S    00:05   0:00 /usr/sbin/httpd -k start
nobody   24309  0.0  0.0   8092  2000 ?        S    00:05   0:00 /usr/sbin/httpd -k start
nobody   24310  0.0  0.0   8092  2000 ?        S    00:05   0:00 /usr/sbin/httpd -k start
nobody   24311  0.0  0.0   8092  2000 ?        S    00:05   0:00 /usr/sbin/httpd -k start
nobody   24607  0.0  0.0   8092  2000 ?        S    00:05   0:00 /usr/sbin/httpd -k start
root     27435  0.1  0.0   4172  1520 pts/0    S+   00:06   0:00 nano /etc/httpd/conf/httpd.conf
*****    29487  0.0  0.0   3704   788 pts/1    R+   00:07   0:00 grep httpd

however isn't still a problem with the permissions of /home/httpd which is set as root:root? /home/ftp is set as root:ftp

[*****@***** home]$ ls -la
total 36
drwxr-xr-x  6 root root  4096 2008-03-14 23:40 .
drwxr-xr-x 20 root root  4096 2008-03-11 15:35 ..
drwxr-xr-x 38 axel axel  4096 2008-03-15 00:07 *****
dr-xr-xr-x  2 root ftp   4096 2008-03-11 00:20 ftp
drwxr-xr-x  7 root root  4096 2008-01-17 22:32 httpd
drwx------  2 root root 16384 2008-02-12 18:17 lost+found

Last edited by axel (2008-03-14 22:13:56)

_nalle

Member

From: Stockholm/Sweden

Registered: 2006-01-11

Posts: 70

Website

Re: Apache permissions

Files being owned by root is not a problem per say. The permissions of an object defines who gets to read/write/execute what.

For example:
The ftp folder you have has permissions r-xr-xr-x meaning that the owner can read and execute (root in this case), anyone in the group can read and execute (ftp in this case) and globaly anyone can read and execute.

In the case of a directory it needs to be executable for apache to be able to list its content. Files however only need read permissions to be viewable via the apache webserver.

Thinking securely is always the way to go but to secure your system properly from hackers via your apache does require some effort and maintainance...

First off all, since apache usually runs as the unprivileged user nobody it often only has access to the global permissions. However if you check most files in, for example, your /etc you will notice that even nobody has atleast read access to them. This goes for the better part of your system too.

To secure this even further you would need to make sure that any files in your system that does not need to be readable for nobody isn't.
Unfortunately, as mentioned before, this is a hassel since files change all the time and it's easy to mess up the wrong permissions.

It is ofcourse up to the individual administrator to define how much it is worth but if you ask me I would say that it isn't with the motivation that even if you put in a couple of hours a week on securing permissions on files on account of apaches shortcomings there will still be another hole to plug somewhere else instead that I can focus that time on.

Think: Keep people out of the machine.
Instead of: How to stop then when they're in.

If security on the machine is an issue, I'd recommend you read up on grsecurity or selinux.

---

Swedish Archlinux Mirror Administrator - ftp.gigabit.nu

axel

Member

Registered: 2007-12-10

Posts: 77

Re: Apache permissions

Thanks for your post _nalle. You were pretty informative.