6

I have a general question about security of Apache DocumentRoot, which comes from a statement I read when installing Galaxy, a bioinformatic web service and infrastructure. The statement says

"Please note that Galaxy should never be located on disk inside Apache's DocumentRoot.
By default, this would expose all of Galaxy (including datasets) to anyone on the web."

This paragraph is copied from https://wiki.galaxyproject.org/Admin/Config/ApacheProxy

So the question is what's the difference between putting some contents in DocumentRoot vs putting in a sub-directory of DocumentRoot? Even if the contents are put in a sub-directory, by default, would it also be true that all the contents will be exposed to anyone on the web?

If I put the contents in DocumentRoot of an SSL server, and only allow authenticated and authorized users to access, would this resolve the world-wide access issue?

Update: Thank you all for your thoughtful answers. I think I had all my questions answered. To summarize:

  1. A sub-directory in DocumentRoot will be accessible to everyone unless it has different permissions set.

  2. SSL only protect the packets transferred over the networks, not the permission of the files.

  3. Authentication/authorization will limit who can access DocumentRoot.

  4. Unix/Linux file permissions won't affect the access as all files must be accessible by the web server owner.

user2196452
  • 245
  • 1
  • 3
  • 9

4 Answers4

12

A subdirectory of the DocumentRoot is still considered within the DocumentRoot.

When some software packages advise against placing part of the package inside DocumentRoot, the intent is that it should be actually outside of the DocumentRoot.

So, for instance, if your DocumentRoot is /var/www/example.com/html you might want to put those files somewhere else entirely, like say /var/www/example.com/restricted

And no, SSL does not solve, nor even address, the concern regarding having sensitive configuration files inside the doc root!

Joe Sniderman
  • 2,749
  • 1
  • 21
  • 26
  • 1
    How about the authentication and authorization protection? – user2196452 Aug 11 '14 at 12:07
  • @user2196452, "only allow authenticated and authorized users to access". If only certain users can access your web server, then only certain uses can access Galaxy (or anything else) in DocumentRoot. But I'd be curious how you are ensuring this. – Paul Draper Aug 11 '14 at 13:05
  • @PaulDraper, do you mean how to ensure only certain users can access my web server? Apache provides many auth modules. I've used mod_cas and mod_kerberos. Both can provide the authentication and authorization I need. – user2196452 Aug 11 '14 at 14:38
  • Even with an auth module, better to keep sensitive stuff outside of the doc root. – Joe Sniderman Aug 11 '14 at 18:55
6

To add to Joe Sniderman's answer, putting files outside the document root makes them inaccessible to a user entering in the url in their browser, but still available to scripts running in the document root.

For instance, you create a report that anonymizes and aggregates user login data. You put the script in your document root as /var/www/example.com/html/report.php so others can see how popular your site is.

Your report must consume the raw user data, so it references a file /var/www/example.com/restricted/login.log as the source. This file is not in the document root and is therefore not accessible except through report.php, which anonymizes the data anyway. You wouldn't want the raw data to be public so you keep that sensitive data away from the document root.

200_success
  • 4,701
  • 1
  • 24
  • 42
TheLonelyGhost
  • 183
  • 6
  • while this is "normally" true, depending on your security setup you might have issues with scripts outside the document root (see php open_basedir restriction in effect for the reason) – Dennis Nolte Aug 11 '14 at 12:58
  • They might also have permissions in `restricted` set to 777 owned by www-data. In that case everyone could access the logs by going to http://example.com/../restricted/login.log. No security measure is perfect, but you're absolutely right: there are some nuances. – TheLonelyGhost Aug 11 '14 at 14:35
  • @TheLonelyGhost, if I set the permission of sensitive data and config files (stored under `DocumentRoot`) to 700 as they are only need to be accessed by the web server owner, would this resolve the security issue? – user2196452 Aug 11 '14 at 14:50
  • worst case: everything the web user has access to so has an attacker. So if your data is in the document root, even with 700, this will not help. get outside the document root as described by TheLonelyGhost – Dennis Nolte Aug 11 '14 at 14:53
1

Anything under DocumentRoot is considered part of the website, and will duly be delivered by Apache if you know the path.

BUT....

It's very easy to protect a folder. Just make a rewrite rule around it, or access control, or whatever.

But it's even better to put your various scripts somewhere else. THe other answers have lines like this:

/var/www/example.com/restricted

But that is not outside DocumentRoot. This is outside:

/var/www/example.com-scripts/

or:

/var/admin-code/example.com/

or really anywhere else in the filesystem. All you need is software that expects it's code to live elsewhere, and a config setting where you tell it where the folder is.

As mentioned, SSL does nothing for you, other than ensure that hacker #2 cannot eavesdrop on hacker #1 reading your database passwords.

paul
  • 49
  • 1
  • 2
    The example is not necessarily true. It depends on what you set in your `DocumentRoot` directive. If your `DocumentRoot` is set to `/var/www/example.com/html`, as stated above, then `/var/www/example.com/restricted` **is** outside of the DocumentRoot. – Thomas Aug 11 '14 at 12:35
  • Of course, but it adds complexity to the example. – paul Aug 11 '14 at 13:34
1

The citation

"Please note that Galaxy should never be located on disk inside Apache's DocumentRoot. By default, this would expose all of Galaxy (including datasets) to anyone on the web."

applies to a PARTICULAR SOFTWARE and how it expects the setup to be done!

According to the above. the default Galaxy configuration may imply that that all the files underneath ("inside") the DocumentRoot are accessible.

This is why you are supposed to move the files not be be accessed out of there.

This assumption may not be true in other installation or a non-standard installation of Galaxy. In particular, Directory instructions may open or close parts of the filesystem, Location instructions may open or close parts of the URI tree, Alias instruction may map filesystem subtree onto an URI, and filesystem-level permissions as well as mandatory access control (via SELinux or other system= may allow or grant access to parts of the filesystem to the webserver process.

An example for "moving outside of the DocumentRoot":

enter image description here

David Tonhofer
  • 910
  • 1
  • 9
  • 29