Some good practices for web servers

May 1, 2007

Here's something important for file ownership on web servers:

The user that the web server runs as should not own anything that the web server serves.

This means that the web server's user shouldn't own anything under the document root or in CGI areas, and there shouldn't be any writeable directories under either that it can use to put things in. Strongly resist the temptation to have CGIs write data files under the CGI area or in the docroot, even if they are normally blocked from being served; if CGI programs need to write data files somewhere, that somewhere should be a completely separate directory hierarchy.

(A close cousin of this is to strongly resist having anything but actual executable CGI programs in your CGI area. Their configuration and data files should live somewhere else, somewhere where a clever attacker can never try to run them as a CGI and see if something interesting happens.)

Unfortunately, this configuration is pretty hard to arrange if you use Apache's suexec, because suexec rightfully insists that the UID it's going to run things as own the program it's about to run. About the best you can do is have two machines and (NFS) export the CGI area to the web server read-only.

An important corollary: the user that the web server runs as should not have a real home directory, and ideally not a real shell either.

A second corollary: if you keep your website (or portions of your website) in a version control system like SVN, makes sure that the user the web server runs as does not have write permissions for the repository. In fact there's no reason it needs even checkout permissions, since the checkouts should be done as another user.

(Hopefully I do not have to mention that the user that the web server runs as should never own the web server's configuration files or be able to write to the directory where they are. Especially if your web server binds to port 80, and thus is started as root.)

Written on 01 May 2007.
« Being specific about where your systems are
My view of Ubuntu »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue May 1 22:21:25 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.