On Fri, 2023-07-21 at 16:05 -0400, Bill Cunningham wrote: > but I warn you up to this point I always disable selinux. Not just > because idk what it is exactly, but it always starts running and I > have never really needed security. I guess that can change. Well, if you're running servers, especially one like WordPress with so many security flaws, and also plagued with bad advice about setting things up on it on the internet, the usefulness of using SELinux is magnified. But you haven't told us if you're making this world accessible, or you're just trying it out on your LAN. The two common problem with webservers are that someone finds a way to read other files (not your web pages) on your system through it, or someone finds a way to use your webserver to write things to your file system. SELinux puts barriers in the way of that. Common bad advice on the internet is about giving file permissions that the web files are owned by the web server (instead of a different user), and are writable by other users. This includes the data that things like WordPress use to create their output. Which should be stored where *only* the WordPress application can access them. You do not want them in the middle of the web server's directory tree, where someone can directly access them bypassing the handling of WordPress. WordPress is a handler. A user requests pages with a URL like www.example.com/something/thispage through your webserver, the handler looks at the "/something/thispage" part of the request and creates an output page from data it has stored elsewhere, and it sends this through the webserver. Traditionally, and sensibly, the files served as web pages are owned by the author, readable and writable by them, the "group" user permissions are unset to not readable/writable/executable and generally not used for anything, and the "other" user permissions (i.e. everyone else) are read-only. The web server reads those files as the other user, since everyone else on the internet is not the owner of the files, and should only have read-access. This gets more difficult with authoring programs (WordPress, Joomla, etc), trying to get them to work in that model. Quite why they don't understand they need to work that way eludes me. People often end up setting their files as world-writable by virtue of getting ownership and permissions wrong. e.g. They make the files readable and writeable and owned by Apache or WordPress. Now the thing that should only be reading the files to serve them, can modify them. And unknown users on the internet can modify them with carefully crafted URLs. -- uname -rsvp Linux 3.10.0-1160.92.1.el7.x86_64 #1 SMP Tue Jun 20 11:48:01 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
