716-718.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Special Edition Using Linux, Fourth Edition:Managing an Internet Web Server</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789717468//-->
<!--TITLE=Special Edition Using Linux, Fourth Edition//-->
<!--AUTHOR=Jack Tackett//-->
<!--AUTHOR=Jr.//-->
<!--AUTHOR=Steve Burnett//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=37//-->
<!--PAGES=716-718//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="714-716.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ewtoc.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading13"></A><FONT COLOR="#000077">Publicly Writable Spaces</FONT></H4>
<P>The last security threat that&#146;s specific to Web servers is that of allowing publicly writable spaces to be served up via HTTP. For example, many sites allow their FTP &#147;incoming&#148; directory to be accessed via the Web directly. This can be a security hole if someone were to place there a malicious CGI script or a server-side include file that calls <TT>#exec</TT> to do some damage. If you decide you need to take the risk of providing public writable spaces, you can do some things to protect yourself:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;The most conservative setting you should set for the <TT>Options</TT> directive is this:
<!-- CODE SNIP //-->
<PRE>
Options Indexes
</PRE>
<!-- END CODE SNIP //-->
<BR>You could use <TT>None</TT>, but <TT>Indexes</TT> really doesn&#146;t introduce any additional security problems, as long as you&#146;re comfortable with others being able to download anything that has been submitted. In the light of recent legislation by the U.S. government regarding &#147;indecent&#148; materials, you may not want to take this risk either.
<DD><B>&#149;</B>&nbsp;&nbsp;Make sure that you set <TT>AllowOverride None</TT> so that people can&#146;t upload an .htaccess file into your directory and modify all your settings and security policies.
<DD><B>&#149;</B>&nbsp;&nbsp;Make sure that the FTP daemon you&#146;re using doesn&#146;t allow the execute bit to be set. By preventing the execute bit to be set, you prevent the execution of uploaded CGI scripts. If you&#146;re using <TT>XBitHack</TT> to activate your server-side includes, you can prevent those includes from being run as well. This is mainly a backup for setting the <TT>Options</TT> as in Listing 37.1, which should protect you against these threats anyway.
</DL>
<P>These same rules apply if you have CGI scripts that generate their own uniquely addressable HTML or CGI files. For example, if the guestbook.cgi program constantly appends the submitted personal information to a guestbook.html file, all the same rules apply; the contents of that HTML file must be considered unsafe. This possible security breach can be plugged if the CGI script double-checks what&#146;s getting written and removes &#147;dangerous&#148; code, such as server-side includes.
</P>
<H3><A NAME="Heading14"></A><FONT COLOR="#000077">Other Tuning Issues</FONT></H3>
<P>The Apache Web server is optimized for accuracy more than for speed; as one rule of thumb for gunfighting goes, &#147;You can&#146;t miss faster than the other person can hit.&#148; Also, performance is rarely an issue, because any half-decent Web server can saturate a T1 line without trying very hard.
</P>
<P>For those interested in getting every last bit of performance from a server, whether you&#146;re running CNN&#146;s Web site or simply trying to run Apache on hardware that can&#146;t possibly fill the available bandwidth (such as trying to run an intranet Web server with 10Mbps Ethernet on the spare 386DX40 you found in the office closet), you can make certain tweaks that will improve responsiveness. For cheap improvements, the most important issue for any Web server is RAM. A Web server takes such a performance hit if it has to swap memory out to disk that it should be avoided at all possible costs. One way to avoid swapping is to limit the MaxClients setting to stay within the available RAM. The best source of performance tuning information is located on the Web at <A HREF=""><B>http://www.apache.org/docs/misc/perf-tuning.html</B></A>.</P>
<H3><A NAME="Heading15"></A><FONT COLOR="#000077">From Here&#133;</FONT></H3>
<P>You can learn more details about setting up, configuring, and running the Apache Web server in Chapter 35, &#147;Getting Started with Apache.&#148; That chapter provides a detailed introduction to the Apache Web server.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="714-716.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ewtoc.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>