Curious symlink problem with Apache -- FC12
Robert Moskowitz
rgm at htt-consult.com
Wed Nov 3 15:27:39 UTC 2010
There is a lot here to go through, but just a quick note below.
On 11/03/2010 09:31 AM, Tim wrote:
> On Wed, 2010-11-03 at 01:59 -0400, Robert Moskowitz wrote:
>
>> # cat /etc/sysconfig/selinux
>>
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=disabled
>>
> This (immediately above line) says that your SELinux is disabled, so
> SELinux shouldn't be the cause of your problems. That being said, it's
> usually a good idea to use SELinux when you have a publicly exposed
> webserver. Even one that's not advertised, as hackers find them by
> scanning ranges of IP addresses.
>
This is NOT a publicly facing server. It is behind my firewall (A
Juniper SSG5) on a subnet that has very limited outside access. Other
subnets here have limited access to this subnet. This server is running
the Amahi.org setup and serves as a PDC to clients on its subnet, and
some Amahi apps for all local subnets. I am adding the repo services for
the local devices (on its subnet) and so I can rebuild my main repo
server. So though I am a bit concerned about SELinux being disabled, I
am not too worried.
> To serve out anything via HTTP, the directory permissions from root
> right through to the directory in question, including all the ones in
> between, should be rwx r-x r-x (owner read, write, and execute; group
> permissions usually don't matter; other uses can read and execute).
>
> The file permissions need to be almost the same, the file in question
> should be rwx r-x r-x (owner read, write and execute; group permissions
> usually don't matter; other users can read the files). Apache treats
> the executable bit on files specially - it allows them to be parsed for
> server-side-includes.
>
> The "other" users, also known as "world," permissions are used for
> serving out to the world.
>
> (I spaced apart owner, group, and world permissions in the above
> examples, for ease of reading.)
>
> Servable files should not be owned by root or the apache user, they
> should be owned by the author. The same goes for directories *inside*
> the webserver's root path. This allows changes, and disallows tampering
> by remote uses over the web.
>
> e.g.
>
> drwxr-xr-x root root /var/www/html/
> drwxr-xr-x tim tim /var/www/html/mywebsite/
> drw-r--r-- tim tim /var/www/html/mywebsite/homepage.html
> drw-r--r-- tim tim /var/www/html/mywebsite/picture.png
>
> If you are asking the server to follow symlinks, then you need to set
> the Apache configuration option to allow that. I can't remember what
> the default was.
>
> If you installed the manual, see:
> http://localhost/manual/mod/core.html#options
>
> Also, if you serve files from outside the usual filepaths, you might
> want to check the<Directory> options in the Apache configuration.
>
> If you installed the manual, see:
> http://localhost/manual/mod/core.html#directory
>
> If you have SELinux enabled, then you need to set proper contexts for
> the files and directories. This will be done automatically, when you
> create them in the standard file paths.
>
> i.e. inside "/var/www/html" and inside "~/public_html/"
>
> But not if you move files into those paths, or serve files in other
> locations. Then, you'll need to manually set the contexts, and reset
> them if you ever scan the whole drive resetting contexts to defaults
> (unless you make up custom rules to match your custom locations).
>
> See http://fedoraproject.org/wiki/SELinux/apache for example contexts.
>
> But I have this for webserving directories, and the files inside them:
>
> system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
> unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
>
> system_u:object_r:httpd_user_content_t:s0 ~/public_html/
>
>
More information about the users
mailing list