3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted

Information

Group permissions on Apache Document Root directories $DOCROOT may need to be writable by an authorized group such as development, support, or a production content management tool. However, it is important that the Apache group used to run the server does not have write access to any directories or files in the document root.

Rationale:

Preventing Apache from writing to the web document root helps mitigate risk associated with web application vulnerabilities associated with file uploads or command execution. Typically, if an application hosted by Apache needs to write to directory, it is best practice to have that directory live outside the web root.

Solution

Perform the following to remove group write access on the $DOCROOT directories and files with the apache group.

# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

See Also

https://workbench.cisecurity.org/files/4548