3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted

Information

The Apache Document Root directory '$DOCROOT' may need to be writeable by an authorized group such as development, support, or a production content management tool. However, it is important that the Apache group used to run the server does not have write access to any directories or files in the document root.

Rationale:

Preventing Apache from writing to the web document root helps mitigate risk associated with web application vulnerabilities associated with file uploads or command execution. Typically, if an application hosted by Apache needs to write to a directory, it is best practice to have that directory live outside the web root.

Solution

Perform the following to remove group write access on the '$DOCROOT' directories and files for the 'apache' group.

# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

See Also

https://workbench.cisecurity.org/files/2378