Hello.

I am worried about the default settings on Suse 9.3's apache. It is able to read files that are part of user root, group root. Is this normal ? Normally, the precise access path is /srv/www/htdocs/. But should I worry that it may also access other dirs as well and thus, having no security at all ?

Any help appreciated.

narc.

SUSE usually runs apache as user "wwwrun", group "www"
check if this user/group can read the files in /srv/www/htdocs/

Thanks. But let me rephrase this:

Well, yes. It *does* read the files in /srv/www/htdocs. It actually reads *all* files in that directory regardless of user or group ownership (root, wwwrun, www, users, etc.). That is what worries me. My question was: do I need to worry that apache might read ouside of this directory which would compromise security ? In other words, is it preferable that apache may only read files with specific ownership so that if it does read outside of /srv/www/htdocs, it would do miinmal damage ? Or is this overly paranoid ? If not, I need to know how to set it for specific ownerships.

Let me know.


narc.

If everything goes well (correct configuration, no bugs in CGI programs, etc), apache does only server out of your DocumentRoot (/srv/www/htdocs).

Additional security and a bit of paranoia may help you survive in a hostile world :-)
You can set secure permissions, run apache in a chroot jail or in a virtual unix server (UML - UserModeLinux, XEN virtual machine).