3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted

Information

Group permissions on Apache directories should generally be 'r-x', and file permissions should be similar, except not executable if executable is not appropriate. This applies to all the Apache software directories and files installed, with the possible exception of the web document root '$DOCROOT' defined by Apache 'DocumentRoot' and defaulting to '$APACHE_PREFIX/htdocs'. The directories and files in the web document root may have a designated web development group with write access to allow web content to be updated.

Rationale:

Restricting write permissions on the Apache files and directories can help mitigate attacks that modify web content to provide unauthorized access or to attack web clients.

Solution

Perform the following to remove group write access on the '$APACHE_PREFIX' directories:

# chmod -R g-w $APACHE_PREFIX

See Also

https://workbench.cisecurity.org/files/2378