CGI Script permissions
Paul Howarth
paul at city-fan.org
Fri May 26 06:50:49 UTC 2006
On Fri, 2006-05-26 at 08:03 +0200, Jochen Wiedmann wrote:
> Hi,
>
> I have a CGI script which ought to have some special permissions. In
> particular, it ought to invoke a certain command as a certain user. To
> achieve that, I have created an entry in the sudoers file, which allows
> the httpd user to invoke the command without a password. Now my CGI
> script does a
>
> sudo -u mp /u2/mp/mpbin/mpfak 001
>
> where mp is the special user, mpfak is the necessary command and the
> remaining part is the mp programs argument.
>
> However, when the program is invoked, then I see the following message
> in syslog:
>
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.696:14): avc:
> denied { setrlimit } for pid=31749 comm="sudo"
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=process
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:15): avc:
> denied { setgid } for pid=31749 comm="sudo" capability=6
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:16): avc:
> denied { setuid } for pid=31749 comm="sudo" capability=7
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:17): avc:
> denied { search } for pid=31749 comm="sudo" name="/" dev=sda5 ino=2
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:file_t tclass=dir
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:18): avc:
> denied { setgid } for pid=31749 comm="sudo" capability=6
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
> May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:19): avc:
> denied { setuid } for pid=31749 comm="sudo" capability=7
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>
> I must admit, that I do not even understand whether I ought to change my
> scripts permissions or the "sudo" programs. I do hesitate to do either.
>
> Can anyone please advice me how to continue? For example, I might as
> well invoke sudo from a wrapper script and change that scripts
> permissions. Question is: How would I do that?
The simplest fix might be to change the file context of this particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.
The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).
Ideally it would be easy to create a subclass of CGI scripts and assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI scripts),
but that's beyond me at this moment.
Paul.
More information about the selinux
mailing list