Re: Apache Shell Attack Domain Transition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/03/2013 12:21 PM, Robert Gabriel wrote:
> Greetz,
> 
> So we asked a question on another list about how to avoid storing
> credentials
> 
> to a DB in files for said Apache server.
> 
> It was found then a great solution from PHP Cookbook suggesting
> 
> to use an "Include" file readable only by root with credentials and Apache
> then reads on
> 
> startand stores credentials as variables.
> 
> I would like to know if SELinux can block this attack?
SELinux will only allow httpd_t to read files with the correct label, so if
the credentials had a label the httpd_t was not allowed to read, SELinux would
block it.

> 
> For example, an attacker gets a reverse shell as apache:apache user
> 
> and they try to connect to DB.
> 
> What domain would they be in at time of shell (httpd_t)?
> 
php scripts would ordinarily run as httpd_t.

> Would the DB be confined to some other domain?
> 
If DB is a running process like mysql or postgresql then yes.  If the DB is
started via init and SELinux does not know about it, it will run as initrc_t.

> Could they try and connect to DB after having read credentials from
> unsecured config file?
> 
They could try, but if httpd_t is not allowed to communicate with the process
that is running the DB then SELinux would block it.

> Is there a domain transition.
> 
Doubt it.
> Thank you.
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHa5lkACgkQrlYvE4MpobNRbwCeJiW2YsUZb1m57QpSK4TUfbW1
kykAn10eWe+GdA83Di0joo7o0r2jixjX
=mzDe
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux