# Apache and protecting files

## GreenCorduroy

I recently installed Apache and I was reading the documentation regarding security tips. One particular security tip that I was concerned about is the "Protecting Server Files by Default"

Doing the following:

```
cd /; ln -s / public_html

http://localhost/public_html/ 
```

Allows read access to the root directory of my computer. I can browse through all the files on my computer except for those files that have permissions set as un-readable by all.

In the documentation (http://httpd.apache.org/docs/misc/security_tips.html) they state to deny all access to any directories on the server and grant directory specific access. However, I noticed that in "commonapache.conf" contains the code:

```
<Directory />

  Options -All -Multiviews

  AllowOverride None

  Order deny,allow

  Deny from all

</Directory>
```

This, according to the tip, should prevent access all directories by default.

Why exactly am I still able to access the root directory?

Thanks in advance

----------

## dirtyjake

What does your public_html "Directory" directive look like?  Which user is apache running under?  Need more from your httpd.conf.

Is this Apache 2?  I am more experience with 1.3 but I may be able to help.

----------

## delta407

 *dirtyjake wrote:*   

> Is this Apache 2?

 

I thought Apache 2 used an XML config file syntax, but I could be wrong. The above looks like a current Apache 1.3 apache.conf.

----------

## GreenCorduroy

It's a fresh emerge of  apache 1.3.26-r4. I couldn't get apache2 to properly merge so I just used 1.3.

Basically everything in the config files are the default settings for both apache.conf and common commonapache.conf.

apache.conf:

```

ServerType standalone

ServerRoot /etc/apache

#ServerName localhost

#LockFile /etc/httpd/httpd.lock

PidFile /var/run/apache.pid

ScoreBoardFile /etc/apache/apache.scoreboard

ErrorLog logs/error_log

LogLevel warn

ResourceConfig /dev/null

AccessConfig /dev/null

DocumentRoot /home/httpd/htdocs

```

the rest is just loading modules

commonapache.conf is really long so I'll just answer the couple questions you asked.

The user is apache, groupname apache

Here is the directory that the public file is stored in:

```
<Directory /home/httpd/htdocs>

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

Allow from all

</Directory>

```

I realize that it allows symlinks and overrides any options that were set for the root directory, but that should effect only the specified directory right? and not the root directory.

Thanks again.

----------

## dirtyjake

From http://httpd.apache.org/docs/mod/core.html#directory

 *Quote:*   

> If multiple (non-regular expression) directory sections match the directory (or its parents) containing a document, then the directives are applied in the order of shortest match first, interspersed with the directives from the .htaccess files. For example, with
> 
> <Directory />
> 
> AllowOverride None
> ...

 

So, your <Directory /home/httpd/htdocs> allows you to treat the symlink 'public_html' as a directory under /home/httpd/htdocs therefore setting those same rules.

Your files in /root have the "other" read bit set, right?

Why would you want to do this?  Or is it just an experiment?  You could add something like:

<Location /public_html/root>

Order deny, allow

Deny from All

</Location>

That should protect your /root/ directory.

----------

## rac

Might SymLinksIfOwnerMatch be helpful?

----------

## GreenCorduroy

Basically what I want is to disallow access to any directories that are not specified in apache.conf or commonapache.conf. However, I still want the ability of symlinks so I can link to other directories.

From what I understand, dirtyjake, you are saying that Apache treates the symlink as a directory within the symlink directory? So instead of seeing that public_html -> /root it sees public_html/root? But that doesn't seem to make much sense since then you couldn't really protect system files. Since creating a symlink in a different directory would negate any previous <directory> or <location> definitions.

Granted I shouldn't be creating symlinks to anything that I don't want accessed by the outside world, but I'd rather set it up just incase. Better to be safe than sorry. In the future I may allow ~/user directories on the server and don't want users to accidentally link to stuff that shouldn't be linked to.

As for the "other" read bit, it's set to whatever was default when I installed Gentoo. Are you saying that I should remove it? Then how would any users other than root access files on the computer?

Thanks again

----------

## dirtyjake

 *Quote:*   

> Basically what I want is to disallow access to any directories that are not specified in apache.conf or commonapache.conf. However, I still want the ability of symlinks so I can link to other directories.

 

You can link to other directories, just don't link to /.  Or do what rac suggested and try SymLinksIfOwnerMatch.  It will only allow a link if the owner of the link owns what is being linked to.

 *Quote:*   

> From what I understand, dirtyjake, you are saying that Apache treates the symlink as a directory within the symlink directory? So instead of seeing that public_html -> /root it sees public_html/root? But that doesn't seem to make much sense since then you couldn't really protect system files. Since creating a symlink in a different directory would negate any previous <directory> or <location> definitions.

 

Sorry, I seem to have been confused about this whole thing.  When you said root directory, I thought you meant /root/.

 *Quote:*   

> Granted I shouldn't be creating symlinks to anything that I don't want accessed by the outside world, but I'd rather set it up just incase. Better to be safe than sorry. In the future I may allow ~/user directories on the server and don't want users to accidentally link to stuff that shouldn't be linked to.

 

See above regarding SymLinksIfOwnerMatch.  BTW, if you are going to allow users on your system and they have shell access that allows them to create symlinks then what is the difference if they are reading world-readable files through Apache rather than in their shell?

 *Quote:*   

> As for the "other" read bit, it's set to whatever was default when I installed Gentoo. Are you saying that I should remove it? Then how would any users other than root access files on the computer?

 

Again, part of the misunderstanding.  I thought you were able to see parts of /root/ that did not have the "other" read bit set.  That would have been very bad considering Apache was running as an unpriveleged user.

OK, OK.  I reread "Protecting Server Files by Default" and I see what you are talking about now.  One problem is that you say you can access the filesystem via http://localhost/public_html/.  That should be http://localhost/~root/.  Which means you may have created public_html at /home/httpd/htdocs/public_html rather than /public_html as in the example.  Try doing the example again.  Be sure to turn on UserDir and try http://localhost/~root/.  The example might be outdated though because ~root should point to /root/ rather than /, so try `cd /root; ln -s / public_html` while following the example.

This may be helpful also.  This is from a Red Hat httpd.conf file 

```
#

# Control access to UserDir directories.  The following is an example

# for a site where these directories are restricted to read-only.

#

#<Directory /home/*/public_html>

#    AllowOverride FileInfo AuthConfig Limit

#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

#    <Limit GET POST OPTIONS PROPFIND>

#        Order allow,deny

#        Allow from all

#    </Limit>

#    <LimitExcept GET POST OPTIONS PROPFIND>

#        Order deny,allow

#        Deny from all

#    </LimitExcept>

#</Directory>

```

----------

