服务器 Gind.cn
  1. 服务器 Gind.cn
  3. redhat Apache fast-cgi selinux权限
Intereting Posts
移动一个SQL 2000 32位数据库 广告代理商存储/文件服务器+备份所需(NAS或其他?) 试图将syslog-ng转换为rsyslog 运行CentOS 7的Dell无法获得OpenManage omreport libnss-ldapd和Onelogin vLDAP 不能阻止https:// Facebook使用鱿鱼透明 Unix服务器无法访问,但响应ping Active Directory 2008到2003 Nginx正在运行,但没有提供PHP文件 LVM分区被检测为错误的大小 使用带有SNMP的包含目录(snmpd.conf) 如何在OSPF中使用Cisco IOS向IPSec隧道发布路由 在Centos上安装mod_ssl,依赖性问题 DMZ到外部访问列表 为什么服务器启动TLS会话后FIN?

redhat Apache fast-cgi selinux权限

我的Apache安装是运行的PHP作为fastcgi,和虚拟
主机指向/ home / / public_html。
和fastcgi是家/ /cgi-bin/php.fcgi

selinux public_html设置是: 

/usr/sbin/setsebool -P httpd_enable_homedirs 1 chcon -R -t httpd_sys_content_t /home/someuser/public_html

所有者和组是用户,例如用户“someuser”: 

 ls -all /home/someuser/cgi-bin/ drwxr-xr-x 2 someuser someuser 4096 Sep 7 13:14 . drwx--x--x 6 someuser someuser 4096 Sep 6 18:17 .. -rwxr-xr-x 1 someuser someuser 308 Sep 7 13:14 php.fcgi ls -all /home/someuser/public_html/ | greep info.php -rw-r--r-- 1 someuser someuser 24 Sep 3 16:24 info.php

什么时候访问该网站我得到“禁止…”和日志说:

[Fri Sep 07 12:02:51 2012] [error] [client xxxx](13)权限被拒绝:访问/cgi-bin/php.fcgi/info.php被拒绝

我的selinux conf是: 

 SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0

所以我杀Selinux(SELINUX =禁用),重新启动系统,一切正常!!!!!

问题是Selinux,我不想禁用Selinux。 我试图没有成功: 

 setsebool -P httpd_enable_cgi 1 chcon -t httpd_sys_script_exec_t /home/someuser/cgi-bin/php.fcgi chcon -R -t httpd_sys_content_t /home/someuser/cgi-bin

或者,也许是更好的变化Selinux
SELINUX =执行SELINUX =许可

并禁用selinux的httpd?
(我想我最好find正确的configuration)

感谢有关此事的任何build议

我的环境:

红帽企业Linux服务器版本5.8(Tikanga)

服务器版本:Apache / 2.2.3

PHP 5.1.6(cli)(内置:Jun 22 2012 06:20:25)版权所有(c)1997-2006 The PHP Group
Zend Engine v2.1.0,版权所有(c)1998-2006 Zend Technologies

一些日志: 

 ps -ZC httpd LABEL PID TTY TIME CMD system_u:system_r:httpd_t 2822 ? 00:00:00 httpd system_u:system_r:httpd_t 2823 ? 00:00:00 httpd system_u:system_r:httpd_t 2824 ? 00:00:00 httpd system_u:system_r:httpd_t 2825 ? 00:00:00 httpd system_u:system_r:httpd_t 2826 ? 00:00:00 httpd system_u:system_r:httpd_t 2836 ? 00:00:00 httpd system_u:system_r:httpd_t 2837 ? 00:00:00 httpd system_u:system_r:httpd_t 2838 ? 00:00:00 httpd system_u:system_r:httpd_t 2839 ? 00:00:00 httpd system_u:system_r:httpd_t 2840 ? 00:00:00 httpd 
  getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_execmem --> off httpd_read_user_content --> off httpd_rotatelogs_disable_trans --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off

有审计日志 

 /var/log/audit/audit.log

type = SYSCALL msg = audit(1345834208.027:963):arch = c000003e syscall = 4 success = no exit = -13 a0 = 2aaf1543e390 a1 = 7fff393c9510 a2 = 7fff393c9510 a3 = 2aaf1543bd58 items = 0 ppid = 27519 pid = 27523 auid = 517 uid = 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4 comm =“httpd”exe =“/ usr / sbin / httpd”subj = user_u: system_r:httpd_t:s0 key =(null)
type = AVC msg = audit(1345834208.027:964):avc:denied {getattr} for pid = 27523 comm =“httpd”path =“/ home / loemsera / public_html / index.php”dev = sda2 ino = 4593912 scontext = user_u :system_r:httpd_t:s0 tcontext = user_u:object_r:user_home_t:s0 tclass = file
type = SYSCALL msg = audit(1345834208.027:964):arch = c000003e syscall = 6 success = no exit = -13 a0 = 2aaf1543e470 a1 = 7fff393c9510 a2 = 7fff393c9510 a3 = 0 items = 0 ppid = 27519 pid = 27523 auid = 517 uid = 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4 comm =“httpd”exe =“/ usr / sbin / httpd”subj = user_u: system_r:httpd_t:s0 key =(null)
type = AVC msg = audit(1345834208.028:965):avc:denied {getattr} for pid = 27523 comm =“httpd”path =“/ home / loemsera / public_html / index.php”dev = sda2 ino = 4593912 scontext = user_u :system_r:httpd_t:s0 tcontext = user_u:object_r:user_home_t:s0 tclass = file

以你的方式运行FastCGI留下了一个很大的安全漏洞:PHP解释器以用户“httpd”运行(至less在这里我看不到有关suexec的任何信息)。

我们在CentOS 6上有一个SELinux和PHP的FastCGI工作设置,但是让所有的工作都很困难。

开始的一些提示:

  • 你不需要重新启动来禁用/启用selinux – 只需使用命令“setenforce 0”或“setenforce 1”:)
  • 总是试图让所有与SELinux 禁用的工作,然后启用它,并看看audit.log

开始了:

  • 启用suexec
  • 将php.fcgi的SELinuxtypes更改为httpd_fastcgi_script_exec_t
  • 你的FastCGI启动器(php.fcgi)不应该被拥有它的用户写(否则他可以调整许多设置和限制)。 给它“不可变”的标志: chattr +i php.fcgi

  • suexec在FastCGI上遇到了一些麻烦,所以我们必须做到宽容: 

     yum install policycoreutils-python semanage permissive -a httpd_suexec_t

祝你好运!