Securing The Apache Http Server - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
43.2.4.2. Beware of Syntax Errors
The NFS server determines which file systems to export and which hosts to export these directories to
by consulting the /etc/exports file. Be careful not to add extraneous spaces when editing this file.
For instance, the following line in the /etc/exports file shares the directory /tmp/nfs/ to the host
bob.example.com with read/write permissions.
/tmp/nfs/
bob.example.com(rw)
The following line in the /etc/exports file, on the other hand, shares the same directory to the host
bob.example.com with read-only permissions and shares it to the world with read/write permissions
due to a single space character after the hostname.
/tmp/nfs/
bob.example.com (rw)
It is good practice to check any configured NFS shares by using the showmount command to verify
what is being shared:
showmount -e <hostname>
43.2.4.3. Do Not Use the no_root_squash Option
By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account.
This changes the owner of all root-created files to nfsnobody, which prevents uploading of programs
with the setuid bit set.
If no_root_squash is used, remote root users are able to change any file on the shared file system
and leave applications infected by trojans for other users to inadvertently execute.
43.2.5. Securing the Apache HTTP Server
The Apache HTTP Server is one of the most stable and secure services that ships with Red Hat
Enterprise Linux. A large number of options and techniques are available to secure the Apache HTTP
Server — too numerous to delve into deeply here.
When configuring the Apache HTTP Server, it is important to read the documentation available for the
application. This includes
http://www.redhat.com/docs/manuals/stronghold/.
System Administrators should be careful when using the following configuration options:
43.2.5.1. FollowSymLinks
This directive is enabled by default, so be sure to use caution when creating symbolic links to the
document root of the Web server. For instance, it is a bad idea to provide a symbolic link to /.
43.2.5.2. The Indexes Directive
This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files
on the server, remove this directive.
Chapter 22, Apache HTTP
Securing the Apache HTTP Server
Server, and the Stronghold manuals, available at
629
Advertisement
Table of Contents
Need help?
Do you have a question about the ENTERPRISE LINUX 5 - DEPLOYMENT and is the answer not in the manual?
Questions and answers