1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
EN,APACHE_USER_OWNER_CONF_REP=Apache configuration files must be owned by root
Apache doesn't have to own its configuration files.
<div class="command">chown -R root <i>apache_conf_root</i></div>
ADVICEEND
EN,APACHE_USER_GROUP_CONF_REP=Apache configuration files must be group owned by root
Apache reads its config files when root (before setuid to apache/www-data user)
<div class="command">chgrp -R root <i>apache_conf_root</i></div>
ADVICEEND
EN,APACHE_USER_OTHERS_CONF_REP=Apache configuration files must not have others access
Others don't need to read apache configuration files
<div class="command">chmod -R o-rwx <i>apache_conf_root</i></div>
ADVICEEND
EN,APACHE_USER_BAD_SHELL=apache must not have a shell
Set a non-shell setting to apache user like /bin/false or /bin/nologin
<div class="command">usermod -s /bin/false www-data</div>
ADVICEEND
EN,APACHE_USER_PASSWD_IN_CONF_REP=It's preferred to put htpasswd files in a directory group owned by apache that is not a docroot
Apache reads password files after "setuiding" to apache/www-data
Example:
Put your htpasswd files in /var/www/.htpasswd and docroot in /var/www/servername
ADVICEEND
|
