Apache permissions - Windows Server

[paul.ohm]

I am trying to tighten the security with Apache running on my web server (also called Jailing apache). Going on the recommendations of many, I have created a separate user for the httpd service of Apache. I have prohibited local and network login via group policy for this user (named "apache", a member of the "users" group). Most people say that I should completely deny access to all local drives, and then specifically allow read/execute access to the apache software folder.

 

I have apache, mysql, and php installed in a folder on my E:\ partition. I have my doc root in a folder on my D:\ partition.

 

So far, I have Denied full control (using Properties -> Security -> Advanced and checked Replace permission entries on child objects to my C, D, and E partitions. I then went into my E: drive to the Apache folder and unchecked "Allow inheritable permissions from the parent..." so that I can make specific permissions. I then allow the following permissions under Properties -> Security -> Advanced: (Traverse Folder/Execute file, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions)

The rest is specifically denied. I check "replace permission entries on child objects"

 

I then repeat this process for the "logs" folder except I also allow the writing attributes.

 

However, when I go to start the service, it doesn't let me and tells me to refer to the Event viewer, where there is no entry. I know this is a permissions issue, because if I grant the apache user full control to everything on the drive, it starts fine.

 

I have tried messing with the permissions, but I can't seem to get the service to start while denying the user the ability to see what is on the drive (read and execute). I know it is possible, because it is recommended to do this by so many, but I must be messing up somewhere.

 

Can anyone help me with this?

[corbin]

I would do the following:

 

 

Make a user called Apache in the group ApacheGroup (or what ever you want to call it), then, by default, anything that does not have permissions for "Everyone" will have no access to anything.  Then just grant access where needed.

 

 

Essentially, I would do something like this (in cmd):

 

net user ApacheUser /ADD
net user ApacheUser <somepassword>
net localgroup ApacheGroup /add
net localgroup ApacheUser Users /del
net localgroup ApacheUser ApacheGroup /add

 

Then just give access where needed.  Then again, I'm lazy.

[corbin]

Hrmmm just tested this now out of curiosity, and it seems Windows has made a blunder once again.  New users not in a default group will actually have read access to some stuff x.x.  Might need to mod the authenticated users perms on stuff if you're under Vista and actually go with my suggestion.

[paul.ohm]

This is what I tried:

 

I created user Apache, assigned to group httpd. I removed the "Everyone" from C: and I removed "Authenticated Users" from D: and E:. I then gave access where needed (apache folder). Still, when I go to start the process, it says: "Error 1053: The service did not respond to the start or control request in a timely fashion." Then, just to test, I gave apache user Read and Execute privs for C:, and then run the service and it runs fine.

 

It seems that the service needs something on the C: drive even though Apache is installed on E:.

 

Any reason why this would be?

[corbin]

Hrmmm sounds to me like Apache has to pull Windows DLLs or something to which it doesn't have access.  I'm checking into it right now.

[corbin]

What the hell.... Windows file permissions are so -- can't think of a word for it... bleh!

 

ApacheServer is a member of the group Apache, and that's the only group of which it is a member, but the permissions for Users are still being applied to ApacheServer.  Wtf?  (Maybe it has something with Vista Home Premium, but I can't for the life of me figure out why MS would have made Windows force permissions of another group....)

 

 

Well, out of fear, I'm not going to go messing with the permissions of my Users group, so I can't test this my self.  Try this:

 

-Make sure the user has read access to all Apache related stuff (Apache file/web files), and make sure it has write access to the logs folder.

-Try giving read access to the entire C drive.  If this works, try removing the read access on the entire drive, and try it on just Windows.  I'm hoping it's not some Windows DLL or something in the Windows folder that Apache needs read access to, because it would be gay to have to give access to the sys folder.  lol

 

 

Edit:  Oh, you might also want to try just read access to Windows\System32 since that's where a lot of DLLs reside.

[paul.ohm]

thank you very much for the help so far Corbin, this is where I am at now.

 

After a few hours of narrowing down which files/folders needed read/execute access in order for apache to start, I came up with this.

 

Under the system32 directory:

wshtcpip.dll

wsock32.dll

ws2_32.dll

ws2help.dll

ws03res.dll

mswsock.dll

dnsapi.dll

 

under the \windows\winSxS directory:

comctl32.dll

 

 

Why oh why are these files needed by apache? How am I the only one that has run into this problem? it seems like everyone else doesn't need to give the apache user any access at all to C, but if I do not give access to these specific files, the service will not start. I used the binary of Apache to install it, could that be the problem? does it install files all over the place when you use the binary? This has been such a pain...any help is greatly appreciated.

 

Also, here are the modules that I currently have enabled. We are running MySQL/PHP also if that makes any different, but if you notice some modules that you don't think we will need, let me know please.

 

LoadModule alias_module modules/mod_alias.so

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authz_default_module modules/mod_authz_default.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_user_module modules/mod_authz_user.so

LoadModule dir_module modules/mod_dir.so

LoadModule headers_module modules/mod_headers.so

LoadModule isapi_module modules/mod_isapi.so

LoadModule log_config_module modules/mod_log_config.so

LoadModule mime_module modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule rewrite_module modules/mod_rewrite.so

#LoadModule setenvif_module modules/mod_setenvif.so

LoadModule ssl_module modules/mod_ssl.so

LoadModule unique_id_module modules/mod_unique_id.so

 

 

Thanks

Paul

[corbin]

"Why oh why are these files needed by apache?"

 

 

DLL -- dynamic link library.  The basic concept of a DLL is to hold code for a main program.  That didn't make much sense.  It needs an example ;p.  Let's say I have an application, creatively named App1, and I have a DLL called App1DLL....

 

 

App1 could load functions from App1DLL and call them.  Almost all of those DLLs listed seem to be networking stuff (WinSock).  Basically Apache uses Windows' socket classes.

 

 

 

One solution would be to put the DLLs in the Apache bin folder, so hopefully the executable would find them in there first (or you could add the Apache bin folder to your PATH variable if that doesn't work).  Another solution could be to modify the Apache code to compile static libraries into its self, but I doubt you want to do that.

 

 

 

 

None of your modules look out of place for a typical Apache instance....

[paul.ohm]

alright, thanks corbin...I mean obviously Apache needs the files, but I just don't understand why in my particular situation, those files are in the system32 dir as I've heard of so many people completely denying access to the whole C: drive and not having any problems. Anyway, I will try moving the DLL's and see how that goes, but I doubt that Apache will just find the files on its own. Another thing, couldn't these DLL's be used by other programs as well? If so, moving them could cause problems with those other applications I would imagine. I have made some serious mistakes on this server that have caused me to restore month-old backups a few times, and i'd hate to do something like that again...

[paul.ohm]

Well, I tried moving one of the dlls (wshtcpip.dll) to the Apache bin, but it only would copy the file, and I could not delete the original. Then, if I removed access to the copy in system32, apache would fail to start. Next I tried adding my apache bin directory to the Path variable, but that didn't seem to work either as apache wouldn't start when I would rename the original to try to force it to use the one in the Apache bin dir.

 

I'm running out of options here. I am wondering if I should just reinstall Apache, perhaps that would make a difference, I just dont understand why my installation is seemingly different from anyone else's on Windows. How much of a security threat would it be to give the apache user access to read/execute only those DLL's, but not access to the whole directory? That seems to be my only option at this point...

[corbin]

I meant copy not move.

 

 

 

 

Anyway, it wouldn't be dangerous at all as long as it's read/exec perms only.  I don't know why it doesn't find the DLLs in the same folder....

 

 

I don't know if you could find a version of Apache with networking support compiled in or not.  Your best chance is probably just allowing access to those few DLLs.

[paul.ohm]

OK, well like I have said, I have PHP and MySQL running also on this server. The more I test the actual site (when the apache service does start) the more it seems like I have to grant the Apache user Read/Execute permissions to more directories/file such as the PHP5 dir, and such. I can't seem to see any way around giving access to these directories because apache just can't run anything having to do with PHP without access to the directory as long as the Apache service is running as "apache" user. Is this common to have to grant access to these directories as well as the Apache directory?

 

Also, there are a couple directories (such as the Apache logs dir, and PHP session_data folder under the PHP install dir) that require some write permissions. However, if the "apache" user is given permission to write to such a folder, and also permission to read/execute the same directory, doesn't that give a potential attacker the ability to write just about anything, such as a harmful script to that directory and then execute it? How can I get around this?

 

Thanks,

Paul

[corbin]

Files can't generally be written through Apache.  Scripts on the server side (such as PHP for example) handle file uploads, so it's usually the script's responsibility to make sure the user isn't writing anywhere he shouldn't be.  I usually see it as the permissions on the server's job to keep users from being able to mess with each other.  So in this case, it could just be seen as extra protection against a badly written script or something.

 

 

And yes, Apache will need read access to anything it needs to read ;p.  For example, it can't run PHP without being able to read the PHP binary ;p.

 

[paul.ohm]

Alright then, I'll have to put some heat on our PHP guy to take care of his business. I have tried to give read access to as few files as possible, while just making sure that the apache user doesn't have explicit permissions to read any other dirs. Does it make a difference whether you explicitly deny the apache user permission to read a directory, or if you just leave him out of the permissions altogether, while removing the "everyone" and "authenticated users" user accounts?

 

 

Thank you very much Corbin, you've been very helpful.

[corbin]

The way it should work:

-If a user has permissions specified for his name/group (or any group to which his group belongs) apply those permissions

-Else deny all access

 

The way it seems to work for me:

-Every user is included in the Users group even if removed from said group.

 

 

 

So yes theoretically it should be fine to remove all references to the user/Everyone/Authenticated Users.  Gotta <3 Windows though.