Ubuntu 9.04: Securing Apache Directories

by Mike on April 24, 2009

in Ubuntu Servers

Securing Directories in Ubuntu 9.04 Jaunty Jackalope
This series of articles will provide specific ways to make your Ubuntu web server more secure.  Apache will provide access to any file when requested unless you make a few security changes.  The best way to do this is to deny all access to the entire file system and then only allow access to those directories which contain information you want to provide to the public.

<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /var/www/>
Order Allow, Deny
Allow from all
</Directory>

lb_ubsuper

There is one problem with this setup, it does not control symbolic links which link outside of the directory.  That control is maintained by The Options directive.  Here is a list of Options that are possible.

Option Description
All                                        All options except MultiViews
None                                   No option is enabled
ExecCGI                              Allows the execution of CGI scripts
FollowSymLinks               Allows symbolic links to be followed
Includes                             Allows server-side includes
IncludesNOEXEC             Allows SSIs but not he exec command
Indexes                               Allows indexes to be generated by the server when index file is absent
MultiViews                        Allows content negotiation
SymLinksIfOwnerMatch    Allows following links if owner of link is the same as the owner of the file

Filesystem containers like <Directory> allows you to control in that specific filesystem location the Options that you allow.  So you could take the default install and remove FollowSymLinks using this option:

<Directory /var/www/>
Options -FollowSymLinks
</Directory>

The minus sign provides you a way to remove an Option that you may not want based on security issues.  If you felt you needed to use FollowSymLinks you can increase the security by allowing apache to follow only when the owner of the link is the same as the user.

<Directory /var/www/>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>

You will probably also want to remove server-side includes and scripts that can be executed anywhere on your web server.

<Directory /var/www/>
Options -Includes -ExecCGI
</Directory>

The safest setting is to turn all of the options off.  This can easily be done with this setting:

<Directory /var/www/>
Options None
</Directory>

Multiple Directories with Different Settings
It is possible to set up multiple directories so that you can have different settings.  Simply use the Directory directive and indicate the settings and the location in the filesystem.  The advantage is that you can minimize the risk by only allow certain Options when absolutely essential.

<Directory /var/www>
Options None
</Directory>

<Directory /var/www/mydomain>
Options +Includes
</Directory>

Previous post:

Next post: