Re: File access in Apache 2.4 (clarification)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote:
> Jonathan
> Thanks for the advice.  If you recommend NOT to use /tmp for cgi
> temporaries, where would you put them and how to name them?  And about
> SELINUX, I'll consider that, but I'd like to get this working without
> SELINUX first.
> 
> And where should I put "globally readable" files?  These files need to be
> readable by all users (including Apache), but writeable only by one user.
> In the past, I've placed them in a Ram disk since I don't want them to
> survive a power--off, and mounted that "device" directory in /tmp/ramdisk.
> It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within
> the past week or so.  I do "yum update" every night.

Does it need to be writable by CGI scripts run by httpd?  Then put it
in one of the directories that is automatically labeled
httpd_sys_rw_content_t by selinux.  (man httpd_selinux shows those,
you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t')

Hopefully, it isn't both writable *and* executable by httpd, because
that's just a bad idea, and selinux tries its hardest to prevent it.

Otherwise, if httpd just needs to read the file, choose one of the
directories with one of the read-only labels.

The reason why this started happening in the latest C7 release is
because the unit file (as well as many others) was updated to have a
PrivateTmp, which is an additional security measure, since one of the
most common ways of attacking a system is to try to hit shared files
in locations like /tmp.

-- 
Jonathan Billings
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux