Security Issues

From ActionApps Documentation
Jump to: navigation, search

Server Side Includes

The directories which contain the user pages must be enabled for SSI (server side includes). This is a major security hole if untrusted people can alter pages in these directories. Only enable SSI for directories where it is needed. You can put the statement which enables it into per directory directives in the apache http server configuration file, for example, like this (snipped from /etc/httpd/conf/httpd.conf:

<Directory /home/httpd/html/apc-aa/user-x/>
Options +Includes

This also suggests to put all ActionApps user pages into a common directory structure and not into the normal user's htdocs tree, so control over the pages can easily be separated.

6.2 config.php3 permissions

The http server must be able to access the include/config.php3 file, but this file contains passwords, so it should not be world readable.

Other possible common solution for this is that you create a unix group for your http server and make the config.php3 file belong to that group and be group readable. Before you do this, make sure that it's safe to change the group apache is running under - there may be other programs and setups that rely on this setting !!! The steps to do this would be:

  • Create unix group, for example, www. On RedHat Linux, this can be done like this:
# groupadd -r www
  • Edit /etc/httpd/conf/httpd.conf and alter the line
Group nobody


Group www
  • Change file permissions in config.php3 and restart the server.
# chown root.www /home/httpd/html/apc-aa/include/config.php3
# chmod 640  /home/httpd/html/apc-aa/include/config.php3
# /etc/rc.d/init.d/httpd stop
# /etc/rc.d/init.d/httpd start
That should be all.