A Web server exposed to the public Internet requires an ongoing administrative effort. It is inevitable that security issues appear, both related to the software and to accidental misconfiguration. Here are some tips for how to deal with them.
If there are vulnerabilities found in the Apache software, a security advisory will be issued by SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied soon as possible. The SUSE security announcements are available from the following locations:
By default in SUSE Linux Enterprise Server, the DocumentRoot
directory /srv/www/htdocs
and the CGI directory
/srv/www/cgi-bin
belong to the user and group
root
. You should not change these permissions.
If the directories were writable for all, any user could place files
into them. These files might then be executed by Apache with the
permissions of wwwrun
, which may give the user
unintended access to file system resources. Use subdirectories of
/srv/www
to place the
DocumentRoot
and CGI directories for your
virtual hosts and make sure that directories and files belong to user and
group root
.
By default, access to the whole file system is denied in
/etc/apache2/httpd.conf
. You should never
overwrite these directives, but specifically enable access to all
directories Apache should be able to read (see
Section 41.2.1.2.3, “Basic Virtual Host Configuration”
for details). In doing so, ensure that no critical files, such as
password or system configuration files, can be read from the outside.
Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server administrator trusts—allowing users to run their own scripts is generally not a good idea. It is also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it
is common practice to limit the execution of CGI scripts to specific
directories instead of globally allowing them. The directives
ScriptAlias
and Option
ExecCGI
are used for configuration. The SUSE Linux Enterprise Server
default configuration does not allow execution of CGI scripts from
everywhere.
All CGI scripts run as the same user, so different scripts can potentially conflict with each other. The module suEXEC lets you run CGI scripts under a different user and group.
When enabling user directories (with mod_userdir or mod_rewrite)
you should strongly consider not allowing
.htaccess
files, which would allow users to
overwrite security settings. At least you should limit the user's
engagement by using the directive
AllowOverRide
. In SUSE Linux Enterprise Server,
.htaccess
files are enabled by default, but the
user is not allowed to overwrite any Option
directives when using mod_userdir (see the
/etc/apache2/mod_userdir.conf
configuration file).