My apache server running php in "fcgi"
I want to protect my server from script kiddies like r99 shell etc ..
example :
http://mikeybeck.com/hacking/N3tShell.html
I can not remove the "exec()" from php because I use Typo3.
My users can run "find" command in php code and view files like /etc/passwd.
------------------------------------------------------------------------------------------------------------------------------------
[root@webserver ~]# ls -lZ /bin/find -rwxr-x---. root root system_u:object_r:bin_t:s0 /bin/find
-------------------------------------------------------------------------------------------------------------------------------------
If I remove the rights of "others" they can't use it but it seems to me not the best solution.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
unconfined_u:system_r:httpd_sys_script_t:s0 500 12060 12043 0 Nov05 ? 00:00:00 /usr/bin/php-cgi -c /var/www/conf/php-democlient1.ini
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
500 is UID for my user
-----------------------------------------------------------------------------------------------------------------------------------------
unconfined_u:system_r:httpd_t:s0 apache 6373 6349 0 Oct29 ? 00:00:00 /usr/sbin/httpd.worker
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
[root@webserver ~]# semanage login -l
Nom pour l'ouverture de session Identité SELinux Intervalle MLS/MCS
__default__ unconfined_u s0-s0:c0.c1023
democlient1 user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
--------------------------------------------------------------------------------------------------------------------------------------------
my user's test is democlient1 with uid 500.
Thanks
sorry for my english
On Tue, Nov 6, 2012 at 10:50 AM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
Access is denied by default, if you want to allow something then you
On Tue, 2012-11-06 at 10:09 +0100, bob lapointe wrote:
> Hello,
> I want to restrict a user, I would forbid the use of system command
> such as "find, perl".
>
> In all documentation I've found is always to allow commands, never to
> prohibit a user to do something.
>
need to specify that.
It can be done , sure (whether i makes sense to do it is another
> it's can be done with Selinux ? or I have to "play" with the rights of
> commands ?
question)
I do not know what you mean with "I have to "play" with the rights of
commands ?"
Basically what you would need to do with create private types, make the
types core command executable file type, label the executable files
accordingly and then specify who can execute them
I am not sure what approach you are using to create your confined user
but if you are using shipped selinux macros, as is, to base your new
confined user policy off of then you are accepting some of the
properties of these macros. One of these properties may be that it
allows already your user to execute find or perl.
So to create a confined user that is customized in a way that differs
from what is facilitated by the distro macros you would need to work
around those few "limitations" of the provided macros or create a new
user domain from scratch.
Basically you are providing us with too little details about your
approach for me to be able to give a more specific answer.
>
> Thanks
> Jérémy P
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
