On 7/21/2023 11:10 PM, Tim via users wrote:
On Fri, 2023-07-21 at 16:05 -0400, Bill Cunningham wrote:
but I warn you up to this point I always disable selinux. Not just
because idk what it is exactly, but it always starts running and I
have never really needed security. I guess that can change.
Well, if you're running servers, especially one like WordPress with so
many security flaws, and also plagued with bad advice about setting
things up on it on the internet, the usefulness of using SELinux is
magnified.
But you haven't told us if you're making this world accessible, or
you're just trying it out on your LAN.
Basically trying it out. I am not anytime soon going to use it on the
internet.
The two common problem with webservers are that someone finds a way to
read other files (not your web pages) on your system through it, or
someone finds a way to use your webserver to write things to your file
system. SELinux puts barriers in the way of that.
Common bad advice on the internet is about giving file permissions that
the web files are owned by the web server (instead of a different
user), and are writable by other users.
This includes the data that things like WordPress use to create their
output. Which should be stored where *only* the WordPress application
can access them. You do not want them in the middle of the web
server's directory tree, where someone can directly access them
bypassing the handling of WordPress.
WordPress is a handler. A user requests pages with a URL like
www.example.com/something/thispage through your webserver, the handler
looks at the "/something/thispage" part of the request and creates an
output page from data it has stored elsewhere, and it sends this
through the webserver.
Traditionally, and sensibly, the files served as web pages are owned by
the author, readable and writable by them, the "group" user permissions
are unset to not readable/writable/executable and generally not used
for anything, and the "other" user permissions (i.e. everyone else) are
read-only. The web server reads those files as the other user, since
everyone else on the internet is not the owner of the files, and should
only have read-access.
This gets more difficult with authoring programs (WordPress, Joomla,
etc), trying to get them to work in that model. Quite why they don't
understand they need to work that way eludes me. People often end up
setting their files as world-writable by virtue of getting ownership
and permissions wrong.
e.g. They make the files readable and writeable and owned by Apache or
WordPress. Now the thing that should only be reading the files to
serve them, can modify them. And unknown users on the internet can
modify them with carefully crafted URLs.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue