20.7.3 File System Access
By default, access to the whole le system is denied in /etc/apache2/httpd
.conf. You should never overwrite these directives, but specically enable access to
all directories Apache should be able to read. For details, see Section “Basic Virtual
Host Conguration” (page 368). In doing so, ensure that no critical les, such as password
or system conguration les, can be read from the outside.
20.7.4 CGI Scripts
Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially
run arbitrary commands and therefore present a general security issue. Scripts that will
be executed from the server should only be installed from sources the server adminis-
trator trusts—allowing users to run their own scripts is generally not a good idea. It is
also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it is common practice to
limit the execution of CGI scripts to specic directories instead of globally allowing
them. The directives ScriptAlias and Option ExecCGI are used for congura-
tion. The openSUSE default conguration does not allow execution of CGI scripts from
everywhere.
All CGI scripts run as the same user, so different scripts can potentially conict with
each other. The module suEXEC lets you run CGI scripts under a different user and
group.
20.7.5 User Directories
When enabling user directories (with mod_userdir or mod_rewrite) you should
strongly consider not allowing .htaccess les, which would allow users to overwrite
security settings. At least you should limit the user's engagement by using the directive
AllowOverRide. In openSUSE, .htaccess les are enabled by default, but the
user is not allowed to overwrite any Option directives when using mod_userdir
(see the /etc/apache2/mod_userdir.conf conguration le).
398 Reference