Protect server files by default
One aspect of Apache, which is occasionally misunderstood, is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients. For instance, consider the following example:
# cd /; ln -s / public_htmlAccessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:
<Directory /> Order Deny,Allow Deny from all </Directory>
This will forbid default access to filesystem locations. Add
appropriate <Directory> blocks to allow
access only in those areas you wish. For example:
<Directory /usr/users/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/local/httpd>
Order Deny,Allow
Allow from all
</Directory>Pay particular attention to the interactions of
<Location> and
<Directory> directives; for instance, even
if <Directory /> denies access, a
<Location /> directive might overturn it.
Also be wary of playing games with the UserDir
directive; setting it to something like ./ would
have the same effect, for root, as the first example earlier. If you
are using Apache 1.3 or above, we strongly recommend that you include
the following line in your server configuration files:
UserDir disabled root
Tip
Please send any other useful security tips to The Apache Group by filling out a problem report. If you are confident you ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access