On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:

> On 12/02/2010 07:58 PM, Tony Molloy wrote:

> > On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:

> >> On 12/02/2010 07:27 PM, Tony Molloy wrote:

> >>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:

> >>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:

> >>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:

> >>>>>> On Thursday 02 December 2010 17:37:54 m.roth@5-cent.us wrote:

> >>>>>>> Tony Molloy wrote:

> >>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth@5-cent.us wrote:

> >>>>>>>>> Daniel J Walsh wrote:

> >>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:

> >>>>>>>>>>> Hi,

> >>>>>>>>>>>

> >>>>>>>>>>> I'm running http on a fully updated Centos 5 system.

> >>>>>>>>>>>

> >>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64

> >>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch

> >>>>>>>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

> >>>>>>>>>>>

> >>>>>>>>>>> I'm trying to run a cgi script from a user directory.

> >>>>>>>>>

> >>>>>>>>> <MVNCH>

> >>>>>>>>>

> >>>>>>>>>> Do you have httpd_suexec_disable_trans turned on?

> >>>>>>>>>

> >>>>>>>>> Actually, what bothers me is trying to run a .cgi from a user's

> >>>>>>>>> directory. Can't you create a directory ->under the apache

> >>>>>>>

> >>>>>>> <Directory><- that the

> >>>>>>>

> >>>>>>>>> users can put scripts in for testing? (I assume that once they're

> >>>>>>>>> good, they go into the real production location for .cgi.)

> >>>>>>>>

> >>>>>>>> Not so easily done ;-)

> >>>>>>>>

> >>>>>>>> This is a University environment with several hundred

> >>>>>>>> faculty/students wanting to use this server to run/check

> >>>>>>>> assignments. So they have ftp

> >>>>>>>

> >>>>>>> accounts

> >>>>>>>

> >>>>>>>> where they can upload any scripts to their public_html directory

> >>>>>>>> and run

> >>>>>>>

> >>>>>>> them

> >>>>>>>

> >>>>>>>> from there.

> >>>>>>>

> >>>>>>> I figured it was something like that. What I was thinking was

> >>>>>>>

> >>>>>>> /var/www/html/public_cgi/<students' directories>

> >>>>>>>

> >>>>>>> which would put them in a *legitimate* place for apache to be happy

> >>>>>>> with, and which selinux would be happy with.

> >>>>>>>

> >>>>>>> You *might* need to add them to a group named something like

> >>>>>>> pubcgi, and make the above group acceptable to selinux and apache.

> >>>>>>>

> >>>>>>> mark

> >>>>>>

> >>>>>> Interesting idea. I could give it a try next semester.

> >>>>

> >>>> Not sure if suexec would work if you set it up that way

> >>>>

> >>>> I've ~/public_html/cgi-bin

> >>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just

> >>>> dandy with suexec.

> >>>

> >>> I'm not clear what you are saying here.

> >>>

> >>> My SELinux contexts

> >>> -------------------

> >>>

> >>> cd /var/pub/ftp

> >>>

> >>> user directory

> >>>

> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp

> >>>

> >>> cd healyp

> >>>

> >>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t

> >>> public_html

> >>>

> >>> ^^^^^^

> >>>

> >>> cd public_html

> >>>

> >>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t

> >>> cgi-bin

> >>>

> >>> ^^^

> >>>

> >>> cd cgi-bin

> >>>

> >>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t

> >>> survey.cgi

> >>>

> >>> ^^^

> >>>

> >>> Are you suggesting that ^^^ should be user instead of sys. Would that

> >>> make a difference.

> >>

> >> Well if that type exists in your distro than its preferred that you use

> >> it yes. if the httpd_user* types do not exist then you can just use

> >> http_sys* types.

> >>

> >> There are some minor differences. One of which is that http_user* types

> >> are user content, meaning users can manage and relabel it. Where

> >> httpd_sys* types are system content types and users *may* not be able to

> >> do all the things the would like to it

> >>

> >> I am not sure how that was designed on el5. But in el6 and fedora 14,

> >> you should use httpd_user* types in ~ in my opinion.

> >>

> >> But httpd_sys* types also work for the most part. its just not optimal

> >

> > Ok I don't want the users being able to relabel anything. They are mostly

> > students and cause enough problems as it is.

>

> well i am not saying they can relabel everything they just relabel to

> and from httpd_user* types. Could be useful. For example a student

> moving a script from his home directory to his public_html/cgi-bin

> directory could cause issue possibly requiring intervention if its not

> httpd_user* type.

>

> In my view a user should be able to restore context of all contents in

> his home dir.

>

A user yes, a student no ;-)

No, most of these students are computer music or digital media students who are basically Windows or Mac users who have minimal Linux experience.

> Therefore i would not use httpd_sys* types or public_content* types in

> users home directories.

>

> i would probably just

>

> adduser joe

> mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html

> mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t

> ~/public_html/cgi-bin

>

They are not "home" directories. They are actually ftp home directories in /var/ftp/pub. Students develop their scripts on their local machine and upload them to the server using ftp.

Thanks,

Tony

> Heck you wouldnt even have to set it up yourself, since your students

> have access to both types they could just do it themselves.

>

> > Tony

> >

> >>> Thanks,

> >>>

> >>> Tony

> >>>

> >>>>>> Thanks,

> >>>>>>

> >>>>>> Tony

> >>>>>

> >>>>> It should not be necessary. public_html labeled correctly will work.

> >>>>> THe problem you are seeing is that this boolean was set causing

> >>>>> suexec to not work.