You are not logged in.
Pages: 1
I just installed apache on my pc and noticed that /home/httpd has roor:root permissions. Well, I believe this isn't secure for my system since if someone will exploit my apache he will automatically gain root privileges to my system. Correct? So I am going to change the permissions of this folder to group: nobody and create a new user let's say httpd. Are there any other changes I have to make either to apache configuration or to php and mysql in order to work ok? If I upgrade apache when a new version comes out are there going to be any problems with the permissions changes?
Edit: I read httpd.conf and found out that when apache starts it switches to anybody:anybody
[*****@***** home]$ ps aux | grep httpd
root 24305 0.0 0.1 8092 3072 ? Ss 00:05 0:00 /usr/sbin/httpd -k start
nobody 24307 0.0 0.1 8228 2768 ? S 00:05 0:00 /usr/sbin/httpd -k start
nobody 24308 0.0 0.0 8092 2000 ? S 00:05 0:00 /usr/sbin/httpd -k start
nobody 24309 0.0 0.0 8092 2000 ? S 00:05 0:00 /usr/sbin/httpd -k start
nobody 24310 0.0 0.0 8092 2000 ? S 00:05 0:00 /usr/sbin/httpd -k start
nobody 24311 0.0 0.0 8092 2000 ? S 00:05 0:00 /usr/sbin/httpd -k start
nobody 24607 0.0 0.0 8092 2000 ? S 00:05 0:00 /usr/sbin/httpd -k start
root 27435 0.1 0.0 4172 1520 pts/0 S+ 00:06 0:00 nano /etc/httpd/conf/httpd.conf
***** 29487 0.0 0.0 3704 788 pts/1 R+ 00:07 0:00 grep httpd
however isn't still a problem with the permissions of /home/httpd which is set as root:root? /home/ftp is set as root:ftp
[*****@***** home]$ ls -la
total 36
drwxr-xr-x 6 root root 4096 2008-03-14 23:40 .
drwxr-xr-x 20 root root 4096 2008-03-11 15:35 ..
drwxr-xr-x 38 axel axel 4096 2008-03-15 00:07 *****
dr-xr-xr-x 2 root ftp 4096 2008-03-11 00:20 ftp
drwxr-xr-x 7 root root 4096 2008-01-17 22:32 httpd
drwx------ 2 root root 16384 2008-02-12 18:17 lost+found
Last edited by axel (2008-03-14 22:13:56)
Offline
Files being owned by root is not a problem per say. The permissions of an object defines who gets to read/write/execute what.
For example:
The ftp folder you have has permissions r-xr-xr-x meaning that the owner can read and execute (root in this case), anyone in the group can read and execute (ftp in this case) and globaly anyone can read and execute.
In the case of a directory it needs to be executable for apache to be able to list its content. Files however only need read permissions to be viewable via the apache webserver.
Thinking securely is always the way to go but to secure your system properly from hackers via your apache does require some effort and maintainance...
First off all, since apache usually runs as the unprivileged user nobody it often only has access to the global permissions. However if you check most files in, for example, your /etc you will notice that even nobody has atleast read access to them. This goes for the better part of your system too.
To secure this even further you would need to make sure that any files in your system that does not need to be readable for nobody isn't.
Unfortunately, as mentioned before, this is a hassel since files change all the time and it's easy to mess up the wrong permissions.
It is ofcourse up to the individual administrator to define how much it is worth but if you ask me I would say that it isn't with the motivation that even if you put in a couple of hours a week on securing permissions on files on account of apaches shortcomings there will still be another hole to plug somewhere else instead that I can focus that time on.
Think: Keep people out of the machine.
Instead of: How to stop then when they're in.
If security on the machine is an issue, I'd recommend you read up on grsecurity or selinux.
Swedish Archlinux Mirror Administrator - ftp.gigabit.nu
Offline
Thanks for your post _nalle. You were pretty informative.
Offline
Pages: 1