3.8 Ensure the Lock File Is Secured - permissions

Information

The Mutex directive sets the locking mechanism used to serialize access to resources. It may be used to specify that a lock file is to be used as a mutex mechanism and may provide the path to the lock file to be used with the fcntl(2) or flock(2) system calls. Most Linux systems will default to using semaphores instead, so the directive may not apply. However, in the event a lock file is used, it is important for the lock file to be in a local directory that is not writable by other users.

Rationale:

If the lock file to be used as a mutex is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a lock file with the same name.

Solution

Find the directory path in which the lock file would be created. The default value is the ServerRoot/logs directory.

Modify the directory if the path is a directory within the Apache DocumentRoot

Change the ownership and group to be root:root, if not already.

Change the permissions so that the directory is only writable by root, or the user under which Apache initially starts up (default is root),

Check that the lock file directory is on a locally mounted hard drive rather than an NFS mounted file system.

Default Value:

The default mechanism for the Mutex directive is platform specific and may be determined by running httpd -V. The default path is the ServerRoot/logs directory.

See Also

https://workbench.cisecurity.org/files/4548