User Directories - Novell LINUX ENTERPRISE SERVER 11 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 11 - ADMINISTRATION:
- Installation (5 pages) ,
- Manual (450 pages)
Table of Contents
Advertisement
for all, any user could place files into them. These files might then be executed by
Apache with the permissions of wwwrun, which may give the user unintended access
to file system resources. Use subdirectories of /srv/www to place the DocumentRoot
and CGI directories for your virtual hosts and make sure that directories and files belong
to user and group root.
27.7.3 File System Access
By default, access to the whole file system is denied in /etc/apache2/httpd
.conf. You should never overwrite these directives, but specifically enable access to
all directories Apache should be able to read (see
Section "Basic Virtual Host Configu-
ration"
(page 380) for details). In doing so, ensure that no critical files, such as password
or system configuration files, can be read from the outside.
27.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially
run arbitrary commands and therefore present a general security issue. Scripts that will
be executed from the server should only be installed from sources the server adminis-
trator trusts—allowing users to run their own scripts is generally not a good idea. It is
also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it is common practice to
limit the execution of CGI scripts to specific directories instead of globally allowing
them. The directives ScriptAlias and Option ExecCGI are used for configura-
tion. The SUSE Linux Enterprise Server default configuration does not allow execution
of CGI scripts from everywhere.
All CGI scripts run as the same user, so different scripts can potentially conflict with
each other. The module suEXEC lets you run CGI scripts under a different user and
group.
27.7.5 User Directories
When enabling user directories (with mod_userdir or mod_rewrite) you should
strongly consider not allowing .htaccess files, which would allow users to overwrite
408
Administration Guide
Advertisement
Table of Contents
Troubleshooting
