Sander's Weblog

July 30, 2010

File System Permissions for Apache

Filed under: Apache,Security — Sander @ 8:00 am

I don’t spend a lot of time on The Apache HTTP Server Users mailing list, but a discussion sprang up there this week on which I think I should share my response. The issue was why the server in question did not have permission to show a particular file. The initial response was “just chown your document root to the Apache user” and, when pointed out that this introduced security issues, 

Oh man an experienced sys admin told me to do it that way.
Please tell me what is wrong in this and where is this documented on Apache
docs.
I want to read.

Here is my response reproduced: read on.

The Apache HTTP Server needs read access to its configuration files and the files it serves. In and of itself, the server does not need write access anywhere on the system: even its log files are opened for write when the server is still root, and the open file descriptors passed to the child processes which change their user id to the lesser privileged user.

Read access only. The web server user should not own, or be able to write to, its configuration files or content.

Content, other than CGI scripts, generally does not need Execute permissions. Even PHP files that are interpreted by the server do not need to be Executable.

Certain applications, especially publishing platforms and Content Management Systems that you manage and populate through the web server itself using a browser, require that certain directories on the system be made writable by the web server user. You can do this by changing the owner of the directory to that user (usually www but ymmv), or by making the directory group-writable and changing the group to the group as which Apache runs.

Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for ‘r57′ for an example of what such code can do.

If a web app needs writable directories, it’s often better to have those outside the DocumentRoot: that way the uploads can’t be accessed from the outside through a direct URL. Some applications (WordPress for instance) support this, others do not.

In many cases, writable directories are not strictly necessary even though the web app might like them: rather than upload plugins (which contain code that gets executed or interpreted, yech!) through the web browser, upload them through ssh and manually unpack them on the server. The CMS Joomla! likes to write its configuration file to the Document Root on initial install (which promptly becomes a popular attack target) but if it can’t write to the Document Root, it will output the config to the browser to the user can manually upload it.

The Apache Documentation will merely tell you to make the server installation root-owned. The HTTP Server Documentation does not cover third party applications like WordPress or Joomla!, so it will not discuss their need to have some directories writable. I hope the above makes the picture a little more complete.

March 22, 2010

ApacheCon NA 2010 HTTP Server Track Call for Participation

Filed under: Apache,ApacheCon — Sander @ 6:42 am

ApacheCon North America 2010 will be held 1-5 November 2010, at the Westin Peachtree in Atlanta, Georgia, USA.

The official conference, trainings and expo of the Apache Software Foundation (ASF) will run to Atlanta this November, with dozens of sessions on Servers, Cloud Computing, Search NoSQL, Incubating projects, innovations, emerging technologies, and more.

ApacheCon would not be complete without a track dedicated to the project that started it all, the Apache HTTP Server. The Project Management Committee (PMC) are currently planning our own technical track for ApacheCon. We are solliciting 50-minute presentations for our conference track, to fill one day at the conference.

Topics of interest include:

  • Case studies on deployment of the Apache HTTP Server within your organization
  • How-to sessions on working with certain aspects of the Apache HTTP Server technology
  • What’s New? sessions on new features of recent and upcoming versions of the Apache HTTP Server
  • Sessions discussing third-party extensions to the Apache HTTP Server
  • Security topics surrounding the Apache HTTP Server
  • Performance and scalability of Apache HTTP Server deployment
  • Cool things we all should know the Apache HTTP Server can do
  • How you solved particularly gnarly problems deploying the Apache HTTP Server

Submissions are open to anyone with relevant expertise: ASF affiliation is not required to present at, attend, or otherwise participate in ApacheCon.

Please keep in mind that whilst we are encourage submissions that the highlight the use of specific Apache solutions, we are unable to accept marketing/commercially-oriented presentations.

All accepted speakers (not co-presenters) qualify for general conference admission and a minimum of two nights lodging at the conference hotel. Additional hotel nights and travel assistance are possible, depending on the number of presentations given and type of assistance needed.

To submit a presentation proposal, please edit the Wiki page and add your proposal, including:

  1. Your full name, title and organization
  2. Contact information, including your e-mail address. Feel free to obfuscate if you think that this will make a difference in your SPAM load
  3. The name of your proposed session (keep your title simple and relevant to the topic)
  4. A 75-200 word overview of your presentation
  5. A 100-200 word speaker bio that includes prior conference speaking or related experience

You will find an empty table template at the bottom of the page. Please copy this and fill it in.

Please mail any quesions regarding proposal submissions to pmc at httpd.apache.org.

To be considered, proposals must be received by Sunday, April 4nd, 2010, at 23:59:59 Pacific Time. Following this time, the PMC will hold a vote and suggest the most interesting proposals to the ApacheCon Planning Committee for acceptance to the conference. Note that the Apache HTTP Server PMC does not itself accept session proposals: it merely makes recommendations to the Planning Committee.

Key Dates:

April 4, 2010: Call for Participation closes
May 17, 2010: Speaker Acceptance/Rejection notification
November 1-5, 2010: ApacheCon NA 2010

We look forward to seeing you in Atlanta!

January 26, 2010

Ubuntu Packages for Perl Modules

Filed under: Apache — Sander @ 12:48 pm

The Apache HTTP Server perl-framework testsuite needs a number of Perl modules in order to run. You can install those through CPAN, but on some distributions these modules have been made available through the distro packaging scheme.

This is a quick-and-dirty list of Perl-related packages that need to be installed on a vanilla Ubuntu system in order to run the perl-framework:

Ubuntu Package Perl Module Remarks
libcrypt-ssleay-perl Crypt::SSLeay
libdevel-corestack-perl Devel::CoreStack
libdevel-symdump-perl Devel::Symdump
libdigest-md5-perl Digest::MD5 Part of the default load
liburi-perl URI Part of the default load
  Net::Cmd Part of perl-modules package
  MIME::Base64 Part of perl package
libhtml-tagset-perl HTML::Tagset Default load
libhtml-parser-perl HTML::Parser Default load
libhtml-parser-perl HTML::HeadParser Default load
libwww-perl LWP Default load
libipc-run3-perl IPC::Run3  
libhttp-dav-perl HTTP::DAV Sucks in the following
libxml-dom-perl
libxml-perl
libxml-regexp-perl
perl-doc Perl documentation Some files are used as content by some tests

November 7, 2009

How to Build Apache for Development

Filed under: Apache — Sander @ 10:10 am

This is how I currently build Apache httpd for development and testing.

Pre-requisites:

Once these are in place, check out the Apache source code from http://svn.apache.org/repos/asf/httpd/httpd/trunk, cd into the checkout and run ./buildconf --with-apr=/path/to/apr/source-code. Then run configure:


./configure \
--prefix=/somewhere/convenient \
--enable-mods-shared=all \
--enable-maintainer-mode \
--with-apr=/where/you/put/it \
--enable-proxy=shared \
--enable-ssl=shared \
--enable-case-filter=shared \
--enable-case-filter-in=shared \
--enable-bucketeer=shared \
--enable-echo=shared \
--enable-mpms-shared=all

make and make install. This module complement is what will be exercised by the test harness. The build system will leave the last ./configure invocation in config.nice, and also install the latter under the build subdirectory when you make install. Isn’t that nice?

To run the test harness, check out http://svn.apache.org/repos/asf/httpd/test/framework/trunk. Underneath the checkout, find in Apache-Test/lib/Bundle/ApacheTest.pm a list of the Perl modules you need. A number of these will already be on your system. Get what you don’t have from CPAN or your package manager. Also, install HTTP::DAV and its dependencies which is not on the list but needed to exercise mod_dav. Then run:

perl Makefile.PL
t/TEST -httpd /somewhere/convenient/bin/httpd -apxs /somewhere/convenient/bin/apxs

Note your skips and failures. Add Apache modules and Perl modules if you find the list above out of date. Then make your changes to Apache, rebuild and run t/TEST again. If your new build is in a different installation root, run make realclean in the framework and set it up again. When your changes to Apache (no longer) cause any tests to fail, propose the change to dev@httpd.apache.org. If you add new functionality, add new tests. That’s all. Easy.

November 4, 2009

ApacheCon US 2009 PGP Keysigning

Filed under: Apache,ApacheCon — Sander @ 1:38 pm

We’ll be doing a PGP Keysigning Session at ApacheCon. If you would like to participate, check out http://wiki.apache.org/apachecon/PgpKeySigning and make sure to mail me your public key before the end of today, Wednesday.

November 3, 2009

My ApacheCon US 2009 Wishlist

Filed under: Apache,ApacheCon — Sander @ 1:07 pm
  • Get Apache HTTP Server building again on Gump (which involves losing the dependency on the Apache Portable Runtime Utility library, which was folded into APR proper)
  • Get @pgollucci what he needs on clarus.apache.org, and work on the future of that box
  • Talk about Apache 2.4, and what is still needed to get that out the door. Then, maybe start talking about figuring out what 3.0 is going to be like
  • Prepare for the Keysigning — which may mean creating a new PGP key
  • Prepare for my presentation on Thursday
  • Do some httpd hacking. Perhaps pull in the ECC patch that has been sitting in Bugzilla

August 18, 2009

Web Hacking Incident Database Report

Filed under: ApacheCon,Security — Sander @ 9:12 pm

The The Web Hacking Incidents Database 2009: Bi-Annual Report is out. If I recall correctly, the first report Breach did, in 2007, did not mention any bi-annualness. Also, the eventual landing page has as HTML title “<title>The Web Hacking Incidents Database 2008: Annual Report</title>”. Is it possible that they simply didn’t get their act together last year and retroactively declared the report bi-annual?

I went in through the link above, gave up my e-mail, phone number and name of my first born, and downloaded the report. This will probably land me another copy of every marketing e-mail Breach sends out (guess how I learned of this report?), and a phone call from some poor guy in a cube who has to make 75 phone calls a day for a living. Oops, guess I put down a fax number. Sorry dude, hope your headset isn’t too loud.

Anyway, after you go though the lead generation form you land here and can follow a direct link to the PDF. This is fairly standard practice, but from a security company I would expect that they would make some more effort to not inadvertedly expose the goods.

ApacheCon US 2009I will give this report a read, and probably discuss it in my upcoming talk at ApacheCon US 2009. Oh, they just extended the early bird registration deadline… without changing their own website to tell you about it. Register now and experience the mayhem.

March 28, 2009

My First Apache E-mail

Filed under: Apache — Sander @ 6:53 pm

Looks like this was my first message to an Apache mailinglist: a suggestion on how to build a recently enhanced ApacheBench on systems that (unlike Mac OS X) don’t have the Math library linked in together with the C library (or libSystem.dylib, as the case may be).

December 18, 2008

Ctrl-Alt-What?

Filed under: Apache,Tech — Sander @ 3:51 pm

I run a VMWare Server 2.0 installation so I can test Apache and other things on a wide variety of operating systems. Recently, I’ve been fighting to send Ctrl-Alt-Delete to the remote console of a VM from my Ubuntu workstation… some operating systems work better with Ctrl-Alt-Delete, but the moment you press Ctrl-Alt the console releases input focus. On a Windows client, you use Ctrl-Alt-Insert because the local operating system will catch the real thing.

It turns out you are to press the Del key on the numeric keypad, not on your main keyboard, to send the key combo to the console. I’m blogging this so the LazyWeb learns of it, and when next I forget I can Google for my own post.

VMWare Server rocks: the price is more than right, which allows me to do my Open Source work without paying Closed Source prices. And that in turn benefits VMWare because some of their stuff is clearly based on Apache Software Foundation projects.

November 18, 2008

Hardening Apache Presentation Book List

Filed under: ApacheCon,Security — Sander @ 8:04 pm

At the end of my Hardening Enterprise Apache Installations Against Attacks presentation at ApacheCon US 2008 I had a slide of interesting reading material. Here are the books on the list, and links to some of the articles: (more…)

Older Posts »

Powered by WordPress