On Thursday 02 December 2010 19:07:33 Dominick Grift wrote:
On 12/02/2010 07:58 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 18:49:34 Dominick Grift wrote:
>> On 12/02/2010 07:27 PM, Tony Molloy wrote:
>>> On Thursday 02 December 2010 18:10:22 Dominick Grift wrote:
>>>> On 12/02/2010 06:47 PM, Daniel J Walsh wrote:
>>>>> On 12/02/2010 12:44 PM, Tony Molloy wrote:
>>>>>> On Thursday 02 December 2010 17:37:54 m.roth(a)5-cent.us wrote:
>>>>>>> Tony Molloy wrote:
>>>>>>>> On Thursday 02 December 2010 15:56:59 m.roth(a)5-cent.us
wrote:
>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I'm running http on a fully updated
Centos 5 system.
>>>>>>>>>>>
>>>>>>>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>>>>>>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to run a cgi script from a
user directory.
>>>>>>>>>
>>>>>>>>> <MVNCH>
>>>>>>>>>
>>>>>>>>>> Do you have httpd_suexec_disable_trans turned
on?
>>>>>>>>>
>>>>>>>>> Actually, what bothers me is trying to run a .cgi
from a user's
>>>>>>>>> directory. Can't you create a directory
->under the apache
>>>>>>>
>>>>>>> <Directory><- that the
>>>>>>>
>>>>>>>>> users can put scripts in for testing? (I assume that
once they're
>>>>>>>>> good, they go into the real production location for
.cgi.)
>>>>>>>>
>>>>>>>> Not so easily done ;-)
>>>>>>>>
>>>>>>>> This is a University environment with several hundred
>>>>>>>> faculty/students wanting to use this server to
run/check
>>>>>>>> assignments. So they have ftp
>>>>>>>
>>>>>>> accounts
>>>>>>>
>>>>>>>> where they can upload any scripts to their public_html
directory
>>>>>>>> and run
>>>>>>>
>>>>>>> them
>>>>>>>
>>>>>>>> from there.
>>>>>>>
>>>>>>> I figured it was something like that. What I was thinking
was
>>>>>>>
>>>>>>> /var/www/html/public_cgi/<students'
directories>
>>>>>>>
>>>>>>> which would put them in a *legitimate* place for apache to
be happy
>>>>>>> with, and which selinux would be happy with.
>>>>>>>
>>>>>>> You *might* need to add them to a group named something
like
>>>>>>> pubcgi, and make the above group acceptable to selinux and
apache.
>>>>>>>
>>>>>>> mark
>>>>>>
>>>>>> Interesting idea. I could give it a try next semester.
>>>>
>>>> Not sure if suexec would work if you set it up that way
>>>>
>>>> I've ~/public_html/cgi-bin
>>>> ~/(httpd_user_content_t/(httpd_user_script_exec_t) and works just
>>>> dandy with suexec.
>>>
>>> I'm not clear what you are saying here.
>>>
>>> My SELinux contexts
>>> -------------------
>>>
>>> cd /var/pub/ftp
>>>
>>> user directory
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t healyp
>>>
>>> cd healyp
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:public_content_rw_t
>>> public_html
>>>
>>> ^^^^^^
>>>
>>> cd public_html
>>>
>>> drwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>> cgi-bin
>>>
>>> ^^^
>>>
>>> cd cgi-bin
>>>
>>> -rwxr-xr-x healyp ftpgrp root:object_r:httpd_sys_script_exec_t
>>> survey.cgi
>>>
>>> ^^^
>>>
>>> Are you suggesting that ^^^ should be user instead of sys. Would that
>>> make a difference.
>>
>> Well if that type exists in your distro than its preferred that you use
>> it yes. if the httpd_user* types do not exist then you can just use
>> http_sys* types.
>>
>> There are some minor differences. One of which is that http_user* types
>> are user content, meaning users can manage and relabel it. Where
>> httpd_sys* types are system content types and users *may* not be able to
>> do all the things the would like to it
>>
>> I am not sure how that was designed on el5. But in el6 and fedora 14,
>> you should use httpd_user* types in ~ in my opinion.
>>
>> But httpd_sys* types also work for the most part. its just not optimal
>
> Ok I don't want the users being able to relabel anything. They are mostly
> students and cause enough problems as it is.
well i am not saying they can relabel everything they just relabel to
and from httpd_user* types. Could be useful. For example a student
moving a script from his home directory to his public_html/cgi-bin
directory could cause issue possibly requiring intervention if its not
httpd_user* type.
In my view a user should be able to restore context of all contents in
his home dir.
A user yes, a student no ;-)
No, most of these students are computer music or digital media students who
are basically Windows or Mac users who have minimal Linux experience.
Therefore i would not use httpd_sys* types or public_content* types
in
users home directories.
i would probably just
adduser joe
mkdir ~/public_html; chcon -R -t httpd_user_content_rw_t ~/public_html
mkdir ~/public_html/cgi-bin; chcon -R -t httpd_user_script_exec_t
~/public_html/cgi-bin
They are not "home" directories. They are actually ftp home directories in
/var/ftp/pub. Students develop their scripts on their local machine and upload
them to the server using ftp.
Thanks,
Tony
Heck you wouldnt even have to set it up yourself, since your
students
have access to both types they could just do it themselves.
> Tony
>
>>> Thanks,
>>>
>>> Tony
>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Tony
>>>>>
>>>>> It should not be necessary. public_html labeled correctly will
work.
>>>>> THe problem you are seeing is that this boolean was set causing
>>>>> suexec to not work.