Apache Shell Attack Domain Transition
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 8 16:18:33 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/03/2013 12:21 PM, Robert Gabriel wrote:
> Greetz,
>
> So we asked a question on another list about how to avoid storing
> credentials
>
> to a DB in files for said Apache server.
>
> It was found then a great solution from PHP Cookbook suggesting
>
> to use an "Include" file readable only by root with credentials and Apache
> then reads on
>
> startand stores credentials as variables.
>
> I would like to know if SELinux can block this attack?
SELinux will only allow httpd_t to read files with the correct label, so if
the credentials had a label the httpd_t was not allowed to read, SELinux would
block it.
>
> For example, an attacker gets a reverse shell as apache:apache user
>
> and they try to connect to DB.
>
> What domain would they be in at time of shell (httpd_t)?
>
php scripts would ordinarily run as httpd_t.
> Would the DB be confined to some other domain?
>
If DB is a running process like mysql or postgresql then yes. If the DB is
started via init and SELinux does not know about it, it will run as initrc_t.
> Could they try and connect to DB after having read credentials from
> unsecured config file?
>
They could try, but if httpd_t is not allowed to communicate with the process
that is running the DB then SELinux would block it.
> Is there a domain transition.
>
Doubt it.
> Thank you.
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHa5lkACgkQrlYvE4MpobNRbwCeJiW2YsUZb1m57QpSK4TUfbW1
kykAn10eWe+GdA83Di0joo7o0r2jixjX
=mzDe
-----END PGP SIGNATURE-----
More information about the selinux
mailing list