Apache Security by Ivan Ristic The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification This page was updated March 21, 2007. UNCONFIRMED errors and comments from readers: {53} Second last paragraph; There is a comment "Java class files end in .class but there is little chance of clash because these files should never be accessed directly by Apache". Surely this is incorrect -- people serve .class files over the web all the time as java applets and I think the Apache directives described would make apache use php to interpret .class files? (Maybe this is safe, as a Java class is unlikely to contain something that php will think is php code?) (64) First paragraph in "File access restrictions" section; The sentence "For the operation to proceed, PHP will insist that the uid of the file owner matches the uid of the account owning the script." seems a little unclear to me, as no particular file has been mentioned earlier in the paragraph. I think you mean "When you try to perform an operation on any file PHP will insist that the uid of the file owner matches the uid of the account owning the script." (72) second last bullet point; "45 (9 + 8 + ... + 1) should probably read "45 = (9 + 8 + ... + 1)". {86-101} missing section; Somewhere in the SSL section I was expecting a discussion of untrusted cgi/php/... and how it interacts with keeping your SSL certificate secret. (107) Last paragraph before "Distributed Denial of Service Attacks"; This section should almost certainly referr to RFC 3704 (which is also BCP document 84) to tell people about ingress/egress filtering. It's not just a good idea -- it's also Internet Best Current Practice! [120] PAM Limits section; The section called "PAM limits" should be called "process limits" -- they really have nothing to do with PAM, other than the pam_limits module lets you set them. The changes do not take effect immediately, as claimed by second paragraph. You must recreate the session using the pam limits module. This may be done by Apache when it creates its worker children -- I don't know for certain. {121} Process accounting section; The command given to activate process accounting will only activate it until the next reboot. Usually some addition needs to be made to the boot scripts to make sure this happens early in the boot process. It may be that the Redhat psacct package adds such a boot script automatically?