Run Apache with least privilege user
← Older revision
Revision as of 18:18, 5 October 2015
(2 intermediate revisions by the same user not shown)
Line 29:
Line 29:
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre>
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre>
FreeBSD<pre>/var/log/httpd-error.log</pre>
FreeBSD<pre>/var/log/httpd-error.log</pre>
−
=== Apache Error Files - Windows===
== Apache Server Information Leakage ==
== Apache Server Information Leakage ==
Line 82:
Line 81:
<pre> ServerSignature On</pre>
<pre> ServerSignature On</pre>
−
−
=== Info Leakage via default Apache configuration ===
−
==== Description ====
−
==== How to test ====
−
==== Misconfiguration ====
−
==== Remediation ====
== Operating System Privileges for Apache ==
== Operating System Privileges for Apache ==
=== Run Apache with least privilege user ===
=== Run Apache with least privilege user ===
+
==== Description ====
==== Description ====
+
+
Apache typically is started with root privileges in order to listen on port 80 and 443.
+
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.
+
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services.
+
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.
+
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.
+
A more secure alternative is to bind Apache web service to an unprivileged port so it is not
+
necessary to start Apache as root.
+
==== How to test ====
==== How to test ====
+
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.
+
==== Misconfiguration ====
==== Misconfiguration ====
+
==== Remediation ====
==== Remediation ====
+
If the Apache user and group does exist, create the account and group as a unique system account.
+
+
Example:
+
<pre>
+
# groupadd –r apache
+
# useradd apache -r -g apache -d /var/www -s /sbin/nologin
+
</pre>
+
+
2. Configure the Apache user and group in the Apache configuration file.
+
<pre>
+
User apache
+
Group apache
+
</pre>
=== Restrict Shell Access for Apache User===
=== Restrict Shell Access for Apache User===