Security Issues
Server Side Includes
The directories which contain the user pages must be enabled for SSI (server side includes). This is a major security hole if untrusted people can alter pages in these directories. Only enable SSI for directories where it is needed. You can put the statement which enables it into per directory directives in the apache http server configuration file, for example, like this (snipped from /etc/httpd/conf/httpd.conf
:
<Directory /home/httpd/html/apc-aa/user-x/> Options +Includes </Directory>
This also suggests to put all ActionApps user pages into a common directory structure and not into the normal user's htdocs tree, so control over the pages can easily be separated.
6.2 config.php3 permissions
The http server must be able to access the include/config.php3
file, but this file contains passwords, so it should not be world readable.
Other possible common solution for this is that you create a unix group for your http server and make the config.php3
file belong to that group and be group readable. Before you do this, make sure that it's safe to change the group apache is running under - there may be other programs and setups that rely on this setting !!! The steps to do this would be:
- Create unix group, for example, www. On RedHat Linux, this can be done like this:
# groupadd -r www
- Edit
/etc/httpd/conf/httpd.conf
and alter the line
Group nobody
to
Group www
- Change file permissions in
config.php3
and restart the server.
# chown root.www /home/httpd/html/apc-aa/include/config.php3 # chmod 640 /home/httpd/html/apc-aa/include/config.php3 # /etc/rc.d/init.d/httpd stop # /etc/rc.d/init.d/httpd startThat should be all.