22.11. Security

22.11.1. Minimizing the Risk

If you do not need a web server on a machine, deactivate Apache in the runlevel editor, uninstall it, or refrain from installing it in the first place. To minimize the risk, deactivate all unneeded servers. This especially applies to hosts used as firewalls. If possible, do not run any servers on these hosts.

22.11.2. Access Permissions DocumentRoot Should Belong to root

By default, the DocumentRoot directory (/srv/www/htdocs) and the CGI directory belong to the user root. You should not change this setting. If the directories were writable for all, any user could place files into them. These files might then be executed by Apache with the permissions of user wwwrun. Also, Apache should not have any write permissions for the data and scripts it delivers. Therefore, these should not belong to the user wwwrun, but to another user (such as root).

To enable users to place files in the document directory of Apache, do not make it writable for all. Instead, create a subdirectory that is writable for all (such as /srv/www/htdocs/miscellaneous). Publishing Documents from Home Directories

Another possibility to make sure that users can publish their files in the network is to specify a subdirectory in users' home directories in the configuration file. Users can then place any files for web presentations in this directory (for example, ~/public_html). By default, this is activated in SUSE LINUX. See Section “UserDir” for details.

These web pages can be accessed by specifying the user in the URL. The URL contains the element ~username as a shortcut for the respective directory in the user's home directory. For example, enter http://localhost/~tux in a browser to list the files in the directory public_html in the home directory of the user tux.

22.11.3. Staying Updated

If you operate a web server and especially if this web server is publicly accessible, stay informed about bugs and potential vulnerable spots. Sources for exploits and fixes are listed in Section 22.13.3. “Security”.