Apache configuration. How to forbid root folders viewing

Question

I've added VirtualHost ServerAdmin root@localhost DocumentRoot /var/www/html/blogovet.ru ServerName www.blogovet.ru ServerAlias blogovet.ru

But my script in this domain can see all server files /* not only in his directory /var/www/html/blogovet.ru

How to forbid viewing files except DocumentRoot ?

Answer 1

I found this solution for PHP (If disable cgi and ssi, looks good)

<VirtualHost *:80>
    ServerAdmin root@localhost
    DocumentRoot /var/www/html/site.com
    ServerName www.site.com
    ServerAlias site.com
    ErrorLog /var/www/html/site.com/error-log
#    TransferLog /var/www/html/site.com/transfer-log
#    CustomLog /var/www/html/site.com/access-log common
    <IfModule mod_php5.c>
        php_admin_value upload_tmp_dir "/tmp"
        php_admin_value include_path ".:/usr/share/pear:/usr/share/php:/var/www/html/site.com"
        php_admin_value open_basedir "/var/www/html/site.com"
        php_admin_value doc_root "/var/www/html/site.com"
    </IfModule>
    <Directory "/var/www/html/site.com">
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

Answer 2

A script will be able to read all files that the user running the script can read. So you should make sure your web server does not run as root (it needs to be started as root to listen on port 80, but should swich user to e.g. "www" itself), and then make sure that that user can't read any sensible files.

You could also use SElinux for an extra layer of security.