3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted

Information

Permissions on Apache directories should generally be rwxr-xr-x (755) and file permissions should be similar except not executable unless appropriate. This applies to all of the Apache software directories and files installed with the possible exception of the web document root $APACHE_PREFIX/htdocs. The directories and files in the web document root may have a designated group with write access to allow web content to be updated. In summary, the minimum recommendation is to not allow write access by other.

Rationale:

None of the Apache files and directories, including the Web document root must allow other write access. Other write access is likely to be very useful for unauthorized modification of web content, configuration files or software for malicious attacks.

Solution

Perform the following to remove other write access on the $APACHE_PREFIX directories.

# chmod -R o-w $APACHE_PREFIX

See Also

https://workbench.cisecurity.org/files/3021