Re: [e-smith-devinfo] Drafting Securing Web-Apps Howto....Questions?

Wed, 17 Apr 2002 19:50:08 -0700 


Brandon Friedman <[EMAIL PROTECTED]> said:

> 1. SSL - How do you enable SSL on your alias directory

Here is an example of forcing SSL and locking access to the admin:

# Administration: phpmyadmin
Alias /phpmyadmin /opt/administration/phpmyadmin
<Directory /opt/administration/phpmyadmin>
    RequireSSL on
    Options -Indexes
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
    AuthName "phpMyAdmin"
    AuthType Basic
    AuthExternal pwauth
    require user admin
    Satisfy all
    AddType application/x-httpd-php .php .php3
    php_flag  magic_quotes_gpc  on
    php_flag  track_vars        on
</Directory>

Here is an example of forcing SSL and locking access to multiple defined
user/passwords:

<Directory /opt/developers>
    RequireSSL on
    Options -Indexes
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
    AuthName "Restricted Developer Access Only"
    AuthType Basic
    AuthUserFile /etc/httpd/conf/htpasswd.developers
    Require valid-user
    AddType application/x-httpd-php .php .php3
    php_flag  magic_quotes_gpc  on
    php_flag  track_vars        on
</Directory>

It follows this posted HowTo:

http://myezserver.com
/downloads
/mitel
/howto
/website-access-security-howto.html

> 2. .htaccess control - Is this required?

No and it offers weak security.  The above is better.

> 3. Directory ownership - Who should be the owner of this directory? www
> or root:shared? Why?

The goal is to be restrictive and only permit access where access is
directly needed.  In this case www:www is not the best choice.  Keep the
majority of your files set root:root and either 640 or 644 which simply adds
global read.  Only files that your app MUST write to should be set www:www
and this is where you need to be careful.

> 4. Access right? - chmod ? 755 should be ok?

7 adds executable and this should be avoided.  It is only necessary for
binary files and scripts.  How ever be careful as dirctories usually require
755 so make sure you do not chmod -R 640 *.  Use the find command to change
only files.

# find . -type f -name "*" -exec chmod 640 {} \;

Regards,

--
Darrell May
DMC Netsourced.com
http://netsourced.com
http://myEZserver.com


--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org

Reply via email to