CGI Script permissions

[Paul Howarth]

On Fri, 2006-05-26 at 08:03 +0200, Jochen Wiedmann wrote:
> Hi,
> 
> I have a CGI script which ought to have some special permissions. In
> particular, it ought to invoke a certain command as a certain user. To
> achieve that, I have created an entry in the sudoers file, which allows
> the httpd user to invoke the command without a password. Now my CGI
> script does a
> 
>     sudo -u mp /u2/mp/mpbin/mpfak 001
> 
> where mp is the special user, mpfak is the necessary command and the
> remaining part is the mp programs argument.
> 
> However, when the program is invoked, then I see the following message
> in syslog:
> 
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.696:14): avc: 
> denied  { setrlimit } for  pid=31749 comm="sudo"
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=process
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:15): avc: 
> denied  { setgid } for  pid=31749 comm="sudo" capability=6
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:16): avc: 
> denied  { setuid } for  pid=31749 comm="sudo" capability=7
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:17): avc: 
> denied  { search } for  pid=31749 comm="sudo" name="/" dev=sda5 ino=2
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:file_t tclass=dir
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:18): avc: 
> denied  { setgid } for  pid=31749 comm="sudo" capability=6
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
>   May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:19): avc: 
> denied  { setuid } for  pid=31749 comm="sudo" capability=7
> scontext=root:system_r:httpd_sys_script_t
> tcontext=root:system_r:httpd_sys_script_t tclass=capability
> 
> I must admit, that I do not even understand whether I ought to change my
> scripts permissions or the "sudo" programs. I do hesitate to do either.
> 
> Can anyone please advice me how to continue? For example, I might as
> well invoke sudo from a wrapper script and change that scripts
> permissions. Question is: How would I do that?

The simplest fix might be to change the file context of this particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.

The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).

Ideally it would be easy to create a subclass of CGI scripts and assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI scripts),
but that's beyond me at this moment.

Paul.