block find / perl / curl to user ?

bob lapointe bob.lapointe at gmail.com
Tue Nov 6 10:23:31 UTC 2012 

Thanks for the answer

My apache server running php in "fcgi"
I want to protect my server from script kiddies like r99 shell etc ..

example :
http://mikeybeck.com/hacking/N3tShell.html

I can not remove the "exec()" from php because I use Typo3.

My users can run "find" command in php code and view files like /etc/passwd.

------------------------------------------------------------------------------------------------------------------------------------
[root at webserver ~]# ls -lZ /bin/find -rwxr-x---. root root
system_u:object_r:bin_t:s0       /bin/find
-------------------------------------------------------------------------------------------------------------------------------------
If I remove the rights of "others" they can't use it but it seems to me not
the best solution.


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
unconfined_u:system_r:httpd_sys_script_t:s0 500 12060 12043  0 Nov05 ?
00:00:00 /usr/bin/php-cgi -c /var/www/conf/php-democlient1.ini
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
500 is UID for my user

-----------------------------------------------------------------------------------------------------------------------------------------
unconfined_u:system_r:httpd_t:s0 apache   6373  6349  0 Oct29 ?
00:00:00 /usr/sbin/httpd.worker
------------------------------------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------------------------------------------------------------------
[root at webserver ~]# semanage login -l

Nom pour l'ouverture de session Identité SELinux          Intervalle
MLS/MCS

__default__               unconfined_u              s0-s0:c0.c1023
democlient1               user_u                    s0
root                      unconfined_u              s0-s0:c0.c1023
system_u                  system_u                  s0-s0:c0.c1023
--------------------------------------------------------------------------------------------------------------------------------------------

my user's test is democlient1   with uid 500.


Thanks
sorry for my english

On Tue, Nov 6, 2012 at 10:50 AM, Dominick Grift <dominick.grift at gmail.com>wrote:

>
>
> On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
> > Hello,
> > I want to restrict a user, I would forbid the use of system command
> > such as "find, perl".
> >
> > In all documentation I've found is always to allow commands, never to
> > prohibit a user to do something.
> >
>
> Access is denied by default, if you want to allow something then you
> need to specify that.
>
> > it's can be done with Selinux ? or I have to "play" with the rights of
> > commands ?
>
> It can be done , sure (whether i makes sense to do it is another
> question)
>
> I do not know what you mean with "I have to "play" with the rights of
> commands ?"
>
> Basically what you would need to do with create private types, make the
> types core command executable file type, label the executable files
> accordingly and then specify who can execute them
>
> I am not sure what approach you are using to create your confined user
> but if you are using shipped selinux macros, as is, to base your new
> confined user policy off of then you are accepting some of the
> properties of these macros. One of these properties may be that it
> allows already your user to execute find or perl.
>
> So to create a confined user that is customized in a way that differs
> from what is facilitated by the distro macros you would need to work
> around those few "limitations" of the provided macros or create a new
> user domain from scratch.
>
> Basically you are providing us with too little details about your
> approach for me to be able to give a more specific answer.
>
> >
> > Thanks
> > Jérémy P
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20121106/82bf5fe1/attachment.html>

More information about the selinux mailing list