There is a lot here to go through, but just a quick note below. On 11/03/2010 09:31 AM, Tim wrote: > On Wed, 2010-11-03 at 01:59 -0400, Robert Moskowitz wrote: > >> # cat /etc/sysconfig/selinux >> >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=disabled >> > This (immediately above line) says that your SELinux is disabled, so > SELinux shouldn't be the cause of your problems. That being said, it's > usually a good idea to use SELinux when you have a publicly exposed > webserver. Even one that's not advertised, as hackers find them by > scanning ranges of IP addresses. > This is NOT a publicly facing server. It is behind my firewall (A Juniper SSG5) on a subnet that has very limited outside access. Other subnets here have limited access to this subnet. This server is running the Amahi.org setup and serves as a PDC to clients on its subnet, and some Amahi apps for all local subnets. I am adding the repo services for the local devices (on its subnet) and so I can rebuild my main repo server. So though I am a bit concerned about SELinux being disabled, I am not too worried. > To serve out anything via HTTP, the directory permissions from root > right through to the directory in question, including all the ones in > between, should be rwx r-x r-x (owner read, write, and execute; group > permissions usually don't matter; other uses can read and execute). > > The file permissions need to be almost the same, the file in question > should be rwx r-x r-x (owner read, write and execute; group permissions > usually don't matter; other users can read the files). Apache treats > the executable bit on files specially - it allows them to be parsed for > server-side-includes. > > The "other" users, also known as "world," permissions are used for > serving out to the world. > > (I spaced apart owner, group, and world permissions in the above > examples, for ease of reading.) > > Servable files should not be owned by root or the apache user, they > should be owned by the author. The same goes for directories *inside* > the webserver's root path. This allows changes, and disallows tampering > by remote uses over the web. > > e.g. > > drwxr-xr-x root root /var/www/html/ > drwxr-xr-x tim tim /var/www/html/mywebsite/ > drw-r--r-- tim tim /var/www/html/mywebsite/homepage.html > drw-r--r-- tim tim /var/www/html/mywebsite/picture.png > > If you are asking the server to follow symlinks, then you need to set > the Apache configuration option to allow that. I can't remember what > the default was. > > If you installed the manual, see: > http://localhost/manual/mod/core.html#options > > Also, if you serve files from outside the usual filepaths, you might > want to check the<Directory> options in the Apache configuration. > > If you installed the manual, see: > http://localhost/manual/mod/core.html#directory > > If you have SELinux enabled, then you need to set proper contexts for > the files and directories. This will be done automatically, when you > create them in the standard file paths. > > i.e. inside "/var/www/html" and inside "~/public_html/" > > But not if you move files into those paths, or serve files in other > locations. Then, you'll need to manually set the contexts, and reset > them if you ever scan the whole drive resetting contexts to defaults > (unless you make up custom rules to match your custom locations). > > See http://fedoraproject.org/wiki/SELinux/apache for example contexts. > > But I have this for webserving directories, and the files inside them: > > system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/ > unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/ > > system_u:object_r:httpd_user_content_t:s0 ~/public_html/ > > -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
