If you do not need a Web server on a machine, deactivate Apache in the runlevel editor, uninstall it, or refrain from installing it in the first place. To minimize the risk, deactivate all unneeded servers. This especially applies to hosts used as firewalls. If possible, do not run any servers on these hosts.
By default, the
/srv/www/htdocs) and the CGI directory belong to the
root. You should not change
this setting. If the directories were writable for all, any user could
place files into them. These files might then be executed by
Apache with the permissions of user
Apache should not have any write permissions
for the data and scripts it delivers. Therefore, these should not belong
to the user
wwwrun, but to
another user, such as
To enable users to place files in the document directory of
do not make it writable for all. Instead, create a subdirectory
that is writable for all, such as
If users should be allowed to publish files, it is possible to
declare a subdirectory of their home directory as suitable for Web
publishing. This subdirectory is traditionally named
~/public_html. This is activated by default
in SUSE LINUX. See Section 220.127.116.11, “UserDir” for details.
These Web pages can be accessed by specifying the user in the URL.
The URL contains the element
username as a
shortcut to the respective directory in the home directory of the user. For
example, enter http://localhost/~tux in a browser to list
the files in the directory
public_html in the home
directory of the user tux.
If you operate a Web server and especially if this Web server is publicly accessible, stay informed about bugs and potential vulnerable spots. Sources for exploits and fixes are listed in Section 30.12.3, “Security”.