Archive for the tag 'Directories'

Apache Security Tips - Permissions on ServerRoot Directories

In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd

You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.

How do I enable cgi-scripts to run from both httpdocs and httpsdocs directories in Plesk?

By default Plesk runs CGI scripts in /cgi-bin/ folder only. To allow CGI scripts be processed from any folder, you should uncomment the cgi-script AddHandler directive in the main apache configuration file /etc/httpd/conf/httpd.conf

AddHandler cgi-script .cgi

Then restart Apache with the following command:

/etc/rc.d/init.d/httpd restart

Such customizations can also be done on a per domain basis in vhost.conf.

Permissions on Apache ServerRoot Directories

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises.

For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

If you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd

Locate world-writable files and directories

To locate world-writable files and directories, you can use the following command

find / -path /proc -prune -o -perm -2 ! -type l -ls

World-writable files are a security risk since it allows anyone to modify them. Additionally, world-writable directories allow anyone to add or delete files.

The “! -type l” parameter skips all symbolic links since symbolic links are always world-writable. However, this is not a problem as long as the target of the link is not world-writable, which is checked by the above find command.

World-Writable directories with sticky bit such as the /tmp directory do not allow anyone except the owner of a file to delete or modify it in this directory. The sticky bit makes files stick to the user who created it and it prevents other users from deleting and renaming the files. Therefore, depending on the purpose of the directory world-writable directories with sticky are usually not an issue. An example is the /tmp directory:

~$ ls -ld /tmp

drwxrwxrwt 8 root root 4096 Oct 26 05:19 /tmp

From the find man pages:

-type c

File is of type c:

l symbolic link; this is never true if the -L option or the -follow option is in effect, unless the symbolic link is broken. If you want to search for symbolic links when -L is in effect, use -xtype.

SBDavid

Important Plesk Directories

Plesk Directories that usually take much disk space

/var/www/vhosts (/srv/vhosts on SuSE) - domains.
/var/qmail - mail.
/var/lib/mysql - Mysql databases.
/var/lib/psa/dumps - Plesk clients’/domains’ backups.
/var/lib/pgsql/data - Postgres databases.
/var/tomcat* - Tomcat applications.
/var/lib/mailman - Mailman lists.

Please check file /etc/psa/psa.conf for all other directories used by Plesk control panel.

Plesk Contorl Panel under FreeBSD uses the /usr/local partition for storing large quantity of data and /var/db partition for databases.
So the /usr and /var partitions have to be larger in this case.

On Debian and Ubuntu, Plesk itself is located in /opt/psa.

« Prev