Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual page 798

should be applied soon as possible. The SUSE security announcements are available
from the following locations:
• Web Page
securitysupport.html
• Mailing List
#Mailinglists
• RSS Feed
_security.xml
40.7.2 DocumentRoot Permissions
By default in SUSE Linux Enterprise Server, the DocumentRoot directory /srv/
www/htdocs and the CGI directory /srv/www/cgi-bin belong to the user and
group root. You should not change these permissions. If the directories were writable
for all, any user could place files into them. These files might then be executed by
Apache with the permissions of wwwrun, which may give the user unintended access
to file system resources. Use subdirectories of /srv/www to place the DocumentRoot
and CGI directories for your virtual hosts and make sure that directories and files belong
to user and group root.
40.7.3 File System Access
By default, access to the whole file system is denied in /etc/apache2/httpd
.conf. You should never overwrite these directives, but specifically enable access to
all directories Apache should be able to read (see Section "Basic Virtual Host Configu-
ration" (page 753) for details). In doing so, ensure that no critical files, such as password
or system configuration files, can be read from the outside.
40.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially
run arbitrary commands and therefore present a general security issue. Scripts that will
be executed from the server should only be installed from sources the server adminis-
780 Installation and Administration
http://www.novell.com/linux/security/
http://en.opensuse.org/Communicate
http://www.novell.com/linux/security/suse