Details
The ‘LockFile’ directive sets the path to the lock file used when Apache uses ‘fcntl(2)’ or ‘flock(2)’ system calls to implement a mutex. Most Linux systems will default to using semaphores instead, so the directive may not apply. However, in the event a lock file is used, it is important for the lock file to be in a locally mounted directory that is not writable by other users.
Rationale:
If the ‘LockFile’ is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a lock file with the same name.
Solution
Perform these steps to properly secure the lock file:
1. Find the directory in which the ‘LockFile’ would be created. The default value is the ‘ServerRoot/logs’ directory.
2. Modify the directory for the ‘LockFile’ so it is not within the Apache ‘DocumentRoot’ and so it is on a locally mounted hard drive rather than an NFS mounted file system.
3. Change the ownership and group of the directory to be ‘root:root’.
4. Change the permissions on the directory so it is only writable by root, or the user under which apache initially starts up (default is root).
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.