3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted

Information

The permission on the Apache directories should be 'rwxr-xr-x' (755) and the file permissions should be similar, except not executable unless appropriate. This applies to all the Apache software directories and files installed, with the possible exception in some cases that a group with write access for the Apache web document root ('$APACHE_PREFIX/htdocs') may be needed to allow web content to be updated. In addition, the '/bin' directory and executables should be set to not be readable by other.

Rationale:

None of the Apache files and directories, including the Web document root, should allow other write access. Other write access is likely to be very useful for unauthorized modification of web content, configuration files, and software.

Solution

Perform the following to remove other write access on the '$APACHE_PREFIX' directories:

# chmod -R o-w $APACHE_PREFIX

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 965457813bc1ba8a6f3d66deb3b033a99cc28c01615680d0dba674ad0bf5a37a