Change some important permissions on files and directories for your Web Server. When you install Apache on your server, there are some files and directories that have too many permissions set by default. The binary program
httpd
can be set to be read-only by the super-user root
, and executable by the owner, group, and others for better security. The /etc/httpd/conf
and /var/log/httpd
directories don't need to by readable, writable or executable by other people.
[root@deep ]/# chmod 511 /usr/sbin/httpd [root@deep ]/# chmod 750 /etc/httpd/conf/ [root@deep ]/# chmod 750 /var/log/httpd/
If you have enabled the automatic indexing of directories in your Apache configuration file; IndexOptions
in httpd.conf
, then you'll have a security issue since any requests for a directory
that don't find an index file will build an index of what is in the directory. In many cases, you may only want people seeing files that you specifically link to. To turn this off, you need to remove read permissions from the
DocumentRoot
directory but not the files inside it.
[root@deep ]/# cd /home/httpd/ [root@deep ]/httpd# chmod 311 ona [root@deep ]/httpd# ls -la
d-wx--x--x 13 webadmin webadmin 1024 Jul 28 08:12 ona
Now, with this modification, any requests for this protected directory should return an error message like:
Forbidden
You don't have permission to access /ona/ on this server.
ona
is the DocumentRoot
, the directory out of which you will serve your documents, in our example.