IBM HTTP Server Security FAQs

Provide feedback on the IBM HTTP Server forum on IBM developerWorks.

Filesystem permissions for IHS

This FAQ primarily addresses unix systems. In modern releases, the installer creates most files with 0755 permissions.

Because IHS sometimes runs under multiple userids, changing filesystem permissions can be complicated. This FAQ only covers the following two scenarios:

  1. IHS installed by root and started as root. This is the recommended and preferred configuration on unix systems.
  2. IHS installed by non-root user X and started by non-root user X.
Other configurations require more lengthy/meticulous configuration. Those configurations include root-owned IHS started by a semi-privileged or a semi-privileged user installing IHS started by an unrelated unprivileged user.

IHS started by root

The issues for an instance of IHS started by root primarily involve resources needed at request processing time, after IHS has switched to the ID specified with the User directive. We will refer to this as the configured ID. Note that all of the requirements below are met in the default configuration.

Generally the mechanism by which the configured ID has read or execute permissions to the filesystem are via the other/world permissions on files owned by root. While it may technically possible to use a shared group for this purpose, it has not been considered/designed/tested by IBM.

IHS started as non-root

When IHS is started by a non-root ID, for the purposes of this document it's assumed that this user ran the installation and has ownership of all files in the installation root.