Securing Directories in Ubuntu 9.04 Jaunty Jackalope
This series of articles will provide specific ways to make your Ubuntu web server more secure. Apache will provide access to any file when requested unless you make a few security changes. The best way to do this is to deny all access to the entire file system and then only allow access to those directories which contain information you want to provide to the public.
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /var/www/>
Order Allow, Deny
Allow from all
</Directory>
There is one problem with this setup, it does not control symbolic links which link outside of the directory. That control is maintained by The Options directive. Here is a list of Options that are possible.
Option Description
All All options except MultiViews
None No option is enabled
ExecCGI Allows the execution of CGI scripts
FollowSymLinks Allows symbolic links to be followed
Includes Allows server-side includes
IncludesNOEXEC Allows SSIs but not he exec command
Indexes Allows indexes to be generated by the server when index file is absent
MultiViews Allows content negotiation
SymLinksIfOwnerMatch Allows following links if owner of link is the same as the owner of the file
Filesystem containers like <Directory> allows you to control in that specific filesystem location the Options that you allow. So you could take the default install and remove FollowSymLinks using this option:
<Directory /var/www/>
Options -FollowSymLinks
</Directory>
The minus sign provides you a way to remove an Option that you may not want based on security issues. If you felt you needed to use FollowSymLinks you can increase the security by allowing apache to follow only when the owner of the link is the same as the user.
<Directory /var/www/>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>
You will probably also want to remove server-side includes and scripts that can be executed anywhere on your web server.
<Directory /var/www/>
Options -Includes -ExecCGI
</Directory>
The safest setting is to turn all of the options off. This can easily be done with this setting:
<Directory /var/www/>
Options None
</Directory>
Multiple Directories with Different Settings
It is possible to set up multiple directories so that you can have different settings. Simply use the Directory directive and indicate the settings and the location in the filesystem. The advantage is that you can minimize the risk by only allow certain Options when absolutely essential.
<Directory /var/www>
Options None
</Directory>
<Directory /var/www/mydomain>
Options +Includes
</Directory>