On Oct 4, 2011, at 7:00 AM, Vadym Chepkov wrote:
On Oct 3, 2011, at 12:39 PM, Dominick Grift wrote:
> On Mon, 2011-10-03 at 12:29 -0400, Scott Gifford wrote:
>> PHP uploads files into a temporary directory, where they are given the
>> label "httpd_tmp_t". When a PHP script processes them, it
>> calls move_uploaded_file to move the newly uploaded file into its
>> final location. This function does some validity checks, then does a
>> rename(2) from the temporary location to the location passwd to
>> move_uploaded_file.
>
> Your web app would need to copy the file instead.
>
> Or why not make your app create the file in the final destination in the
> first place. then rename it there.
>
>> The problem is that after the rename, the file still retains its
>> original label, "httpd_tmp_t". That makes it inconsistent with files
>> and directories which weren't uploaded, and requires some policy
>> gymnastics to take into account that anything that could have been
>> uploaded might have the "httpd_tmp_t" type.
>
>> I am wondering if there is some good way to automatically relabel this
>> file when it is renamed?
>>
>> I would like for the PHP application to work on SELinux and
>> non-SELinux systems, so I would prefer not to make calls out to
>> SELinux-specific scripts and programs (like restorecon). What I would
>> really like is some configuration option that would just relabel files
>> according to their destination when they are rename(2)'d, but that may
>> be asking too much. :-)
>
> That is not practical because whatever moves the file might not be
> allowed to relabelto the target location type.
>
> So i do not think that this is feasible.
>
>>
>> Thanks for any advice,
>>
>>
>> -----Scott.
>>
Hi,
I think it's one of those cases where if a person asks how to shoot himself, he
shouldn't be provided any recipes :)
I understand where this requirement is coming from. Many current web engines nowadays
allow you to install "extensions" or "plugins" via web interface.
This is convenient, but absolutely insecure - think about it, you are trying to allow
application to do self code modifications, the very thing that SELinux should help you to
prevent.
A bug in wordpress/phpbb/cms made simple/whatever together with this SELinux backdoor
would allow installation of a malicious code on your server. I bet you have
GRANT ALL PRIVILEGES ON database.* to webuser, and you will wake up with no website, for
example, or stolen sensitive data.
Convenience and security most times contradict each other. Install your php code
manually.
Vadym
In those cases were uploads are indeed necessary - never had an issue :
# wiki
/var/www/vvcwiki/bin(/.*)?
gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
/var/www/vvcwiki/images(/.*)?
gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
/var/www/vvcwiki/cache(/.*)?
gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
# chat
/var/www/phpfreechat/data(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
# Google sitemap
/var/www/(.*/)?sitemap\.xml(\.gz)?
gen_context(system_u:object_r:httpd_cache_t,s0)
# Kayako
/var/www/kayako/__swift/cache(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/kayako/__swift/files(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/kayako/__swift/geoip(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/kayako/__swift/log(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
# wordpress
/var/www/.*/wp-content/uploads(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
# phpbb
/var/www/phpbb/cache(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/phpbb/files(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/phpbb/images(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
Cheers,
Vadym