If you do not need a Web server on a machine, deactivate Apache in the runlevel editor, uninstall it, or refrain from installing it in the first place. To minimize the risk, deactivate all unneeded servers. This especially applies to hosts used as firewalls. If possible, do not run any servers on these hosts.
By default, the DocumentRoot
directory
(/srv/www/htdocs
) and the CGI directory belong to the
user root
. You should not change
this setting. If the directories were writable for all, any user could
place files into them. These files might then be executed by
Apache with the permissions of user wwwrun
. Also,
Apache should not have any write permissions
for the data and scripts it delivers. Therefore, these should not belong
to the user wwwrun
, but to
another user, such as root
.
To enable users to place files in the document directory of
Apache,
do not make it writable for all. Instead, create a subdirectory
that is writable for all, such as
/srv/www/htdocs/miscellaneous
.
If users should be allowed to publish files, it is possible to
declare a subdirectory of their home directory as suitable for Web
publishing. This subdirectory is traditionally named
~/public_html
. This is activated by default
in SUSE LINUX. See Section 30.6.2.16, “UserDir” for details.
These Web pages can be accessed by specifying the user in the URL.
The URL contains the element
~
username
as a
shortcut to the respective directory in the home directory of the user. For
example, enter http://localhost/~tux in a browser to list
the files in the directory public_html
in the home
directory of the user tux.
If you operate a Web server and especially if this Web server is publicly accessible, stay informed about bugs and potential vulnerable spots. Sources for exploits and fixes are listed in Section 30.12.3, “Security”.