Permissions on Apache ServerRoot Directories
If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises.
For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.
If you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
One Response to “Permissions on Apache ServerRoot Directories”
Leave a Reply
You must be logged in to post a comment.
3pissing…
…