[Centos] cgi trouble with apache and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Quoting "James B. Byrne" <ByrneJB@xxxxxxxxxxxxx>
Date: Thu, 10 Mar 2005 12:39:17

> Because enabling httpd to run cgi processes presents a potential 
> security risk that should be expressly taken rather than left to 
> the system administrator to realize and secure after the fact? 

I totaly agree what you wrote (both qouted, and not quoted parts of your email).

However, there is one big "however" to consider.

If you are forcing users to jump through too many hops to get something working,
they are more likely to disable security mechanisms than to configure things
correctly.  This is not limited to IT security.  It is in human nature.  

Look at the recent email from Cristofer on this mailing list.  What was the
first thing he did?  Disable SELinux.  Search the forums for this kind of
problems.  I did (and still do, since problem is not solved), and what I found
was that most advice boils down to: it is because of SELinux, just disable it
and things will work.  Go to Fedora mailing list.  Every week there is at least
one new thread on topic "is SELinux worth the trouble or should I just disable
the bugger during the install".

What this boils down to is, if you have security mechanism that is too complex
or too hard to configure, nobody will use it.  Same goes for the systme that is
too noisy (too many false positives).  So you are at the same level as not
having it at all.  Because people are going to disable it routinely at the first
opportunity they have.  This is the single biggest mistake security
professionals make on regular basis.  Ignoring human nature.  Thinking that
technology itself can solve security problems.  It can't.  The human nature must
be part of the system.  Or system will not function as intended, or not function
at all.  This is not some wisdom I just invented.  It took some time even for
big names such as Bruce Schneier to realize this.  He wrote openly about the
path he went in his later works.

To get back to the problem I have.  I went through all documentation, did
everything by the book.  And things do not work.  What can I do now.  The
choices are disabling SELinux or risking being real late with the project that
is by itself rather simple in nature (couple of more or less trivial CGI scripts).

-- 
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux