Re: Curious symlink problem with Apache -- FC12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There is a lot here to go through, but just a quick note below.

On 11/03/2010 09:31 AM, Tim wrote:
> On Wed, 2010-11-03 at 01:59 -0400, Robert Moskowitz wrote:
>    
>> # cat /etc/sysconfig/selinux
>>
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=disabled
>>      
> This (immediately above line) says that your SELinux is disabled, so
> SELinux shouldn't be the cause of your problems.  That being said, it's
> usually a good idea to use SELinux when you have a publicly exposed
> webserver.  Even one that's not advertised, as hackers find them by
> scanning ranges of IP addresses.
>    

This is NOT a publicly facing server. It is behind my firewall (A 
Juniper SSG5) on a subnet that has very limited outside access. Other 
subnets here have limited access to this subnet. This server is running 
the Amahi.org setup and serves as a PDC to clients on its subnet, and 
some Amahi apps for all local subnets. I am adding the repo services for 
the local devices (on its subnet) and so I can rebuild my main repo 
server. So though I am a bit concerned about SELinux being disabled, I 
am not too worried.

> To serve out anything via HTTP, the directory permissions from root
> right through to the directory in question, including all the ones in
> between, should be rwx r-x r-x  (owner read, write, and execute; group
> permissions usually don't matter; other uses can read and execute).
>
> The file permissions need to be almost the same, the file in question
> should be rwx r-x r-x (owner read, write and execute; group permissions
> usually don't matter; other users can read the files).  Apache treats
> the executable bit on files specially - it allows them to be parsed for
> server-side-includes.
>
> The "other" users, also known as "world," permissions are used for
> serving out to the world.
>
> (I spaced apart owner, group, and world permissions in the above
> examples, for ease of reading.)
>
> Servable files should not be owned by root or the apache user, they
> should be owned by the author.  The same goes for directories *inside*
> the webserver's root path.  This allows changes, and disallows tampering
> by remote uses over the web.
>
> e.g.
>
> drwxr-xr-x   root  root    /var/www/html/
> drwxr-xr-x   tim   tim     /var/www/html/mywebsite/
> drw-r--r--   tim   tim     /var/www/html/mywebsite/homepage.html
> drw-r--r--   tim   tim     /var/www/html/mywebsite/picture.png
>
> If you are asking the server to follow symlinks, then you need to set
> the Apache configuration option to allow that.  I can't remember what
> the default was.
>
> If you installed the manual, see:
> http://localhost/manual/mod/core.html#options
>
> Also, if you serve files from outside the usual filepaths, you might
> want to check the<Directory>  options in the Apache configuration.
>
> If you installed the manual, see:
> http://localhost/manual/mod/core.html#directory
>
> If you have SELinux enabled, then you need to set proper contexts for
> the files and directories.  This will be done automatically, when you
> create them in the standard file paths.
>
>    i.e. inside "/var/www/html" and inside "~/public_html/"
>
> But not if you move files into those paths, or serve files in other
> locations.  Then, you'll need to manually set the contexts, and reset
> them if you ever scan the whole drive resetting contexts to defaults
> (unless you make up custom rules to match your custom locations).
>
> See http://fedoraproject.org/wiki/SELinux/apache for example contexts.
>
> But I have this for webserving directories, and the files inside them:
>
>   system_u:object_r:httpd_sys_script_exec_t:s0   /var/www/cgi-bin/
>   unconfined_u:object_r:httpd_sys_content_t:s0   /var/www/html/
>
>   system_u:object_r:httpd_user_content_t:s0      ~/public_html/
>
>    
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux