16

When I apt-get install apache2 the server starts automatically when install completes, and the default Apache configuration makes everything in /var/www/ accessible to the client side. Thus if I have any closed source server side scripts or other secret information in that directory before installing Apache, it is publicly accessible until I change the Apache configuration and restart Apache or until I stop Apache.

I can do this

sudo apt-get install -y apache2
sudo service apache2 stop
# Finish setting up...

And then there is only a brief window where the secret stuff is accessible, but it would be preferable to keep Apache from starting automatically at all and never expose /var/www/ even for one moment.

Are there any options I can pass to apt-get install or other ways to prevent Apache from starting automatically after it is installed?

David Winiecki
  • 273
  • 2
  • 7
  • I don't know what the behavior is when you compile Apache yourself instead of using `apt-get`. I suppose if you compile it yourself you can find the code that starts Apache after install and disable it. That might be a decent answer if someone can describe in more detail. However the ideal answer to the question as stated would still use `apt-get`. – David Winiecki Apr 09 '15 at 15:41
  • 5
    Why not just firewall off your server for a minute while doing the upgrade? – EEAA Apr 09 '15 at 15:44
  • I guess my question is kind of a duplicate of this one on askubuntu.com: http://askubuntu.com/questions/74061/install-packages-without-starting-background-processes-and-services – David Winiecki Apr 09 '15 at 16:54
  • 1
    Yet another option: Use Red Hat/CentOS distributions, which do not suffer from this or any of Debian's other insanities. – Michael Hampton Apr 10 '15 at 00:21

2 Answers2

13

Try this:

  1. Create a file /usr/sbin/policy-rc.d with following content: 
#!/bin/sh  
exit 101
  1. Make it executable:
chmod +x /usr/sbin/policy-rc.d

After this, all packages will be installed but the services will not start.

Once you are done, you can remove the file:

rm -f /usr/sbin/policy-rc.d
Giacomo1968
  • 3,522
  • 25
  • 38
b13n1u
  • 980
  • 9
  • 14
  • I'm trying this. More info here: https://jpetazzo.github.io/2013/10/06/policy-rc-d-do-not-start-services-automatically/ (I'm going to use `#!` though.) – David Winiecki Apr 09 '15 at 16:35
10

Lots of options:

  1. Move the closed source content out of /var/www
  2. Change the permissions on that content such that the apache user cannot read it
  3. Iptables to stop port 80/443 traffic
  4. Pass a runlevel environment variable to apt-get:
sudo RUNLEVEL=1 apt-get install apache2
Giacomo1968
  • 3,522
  • 25
  • 38
dmourati
  • 24,720
  • 2
  • 40
  • 69
  • Wouldn't the apache2 install leave the "current" config files in place? For example, a template left in /etc/apache2/httpd.conf wouldn't be overwritten, would it? – Hyppy Apr 09 '15 at 16:04
  • I think changing the Apache config (after making /var/www inaccessible using one of the methods in these answers) is implied. – David Winiecki Apr 09 '15 at 16:29
  • I mean, I don't think any of these 4 methods will modify the Apache config. – David Winiecki Apr 09 '15 at 16:44
  • 1
    I think I'm going to use `RUNLEVEL=1` since it seems like the simplest option and it worked in a test, but iptables or some other firewall does feel like the right way. – David Winiecki Apr 09 '15 at 16:57