Re: [CentOS] Apache not liking directories outside of /var/www
Filipe Brandenburger wrote: > Hi, > > On Sat, Aug 1, 2009 at 12:30, Mark Hedges wrote: >>> http://wiki.centos.org/HowTos/SELinux >> Is this why DBD::SQLite broke under mod_perl recently in >> CentOS? > > It might or might not be... In order to be sure, you may check the > audit logs at /var/log/audit/audit.log (make sure the "audit" RPM is > installed and the "auditd" daemon is enabled and running), you might > see SELinux messages in that file when some access is denied. > > HTH, > Filipe Further to Filipe's advice, if you temporarily switch SELinux into permissive mode and stuff then works again, take that as a pretty good indication that it was indeed SELinux that was preventing it. At that point you know where to look to fix the problem. The Wiki guide for SELinux has lots of information on troubleshooting SELinux issues: http://wiki.centos.org/HowTos/SELinux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
Hi, On Sat, Aug 1, 2009 at 12:30, Mark Hedges wrote: >> http://wiki.centos.org/HowTos/SELinux > > Is this why DBD::SQLite broke under mod_perl recently in > CentOS? It might or might not be... In order to be sure, you may check the audit logs at /var/log/audit/audit.log (make sure the "audit" RPM is installed and the "auditd" daemon is enabled and running), you might see SELinux messages in that file when some access is denied. HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
--On Saturday, August 01, 2009 10:30 AM -0700 Mark Hedges wrote: > I.e. Apache process is accessing an sqlite file that is > outside the docroot. This is how it should be. Don't use /var/www as your docroot. Use a subdirectory. Then you can put other files under /var/www that are not under the docroot. Aside: Avoid editing httpd.conf if you can help it. A lot of customization can be accomplished by dropping a custom .conf file in /etc/httpd/conf.d. This makes upgrades a lot easier, in case the stock httpd.conf changes. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
On Fri, 31 Jul 2009, Ned Slider wrote: > Boris Epstein wrote: > > > > I found an even simplier solution - disabled SELinux. I've got a > > firewall and that is plenty. > > > > Wow, not sure I'd place all my faith in a firewall. > > There is an SELinux tutorial on the Wiki that explicitly covers how to > handle Apache serving content outside of DocumentRoot: > > http://wiki.centos.org/HowTos/SELinux Is this why DBD::SQLite broke under mod_perl recently in CentOS? I.e. Apache process is accessing an sqlite file that is outside the docroot. This is how it should be. Conf perms (allow/deny) only secure what files you can access by calling them up with a uri mapping. They don't apply to what files a script or handler can access; any of these processes running as user apache can access any files that user could access on the system. Unless selinux is interfereing. Is that what's going on? Help? Mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
Boris Epstein wrote: > > I found an even simplier solution - disabled SELinux. I've got a > firewall and that is plenty. > Wow, not sure I'd place all my faith in a firewall. There is an SELinux tutorial on the Wiki that explicitly covers how to handle Apache serving content outside of DocumentRoot: http://wiki.centos.org/HowTos/SELinux Anyway, it's only one command to fix the issue - not exactly daunting. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
On Fri, Jul 31, 2009 at 1:07 PM, Boris Epstein wrote: > I am running mod_security and also if the intruder gets to the shell > level they will be able to bypass the SELinux entirely. I believe in > security too but security should not be crippling. Agreed, however your statement is contradictory. A person not versed in iptables would find the default firewall crippling when attempting to run apache. By your logic, they should disable the firewall? -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
--On Friday, July 31, 2009 2:07 PM -0400 Boris Epstein wrote: > I am running mod_security and also if the intruder gets to the shell > level they will be able to bypass the SELinux entirely. How? The selinux commands require root access. First you'd have to get a root escalation exploit to promote from user apache to root, and then disable selinux. The exploit in the linked article is stopped because it can't run the escalation program which was downloaded to /tmp. > I believe in security too but security should not be crippling. Do you also disable iptables, because a firewall is too complicated to configure just to run an IP service? SELinux is just another kind of firewall, but one between user/process/resource triplets. As with a good network firewall, it denies all by default and one selectively allows the triplets that make sense for one's application. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
sounds like current default apache security near the begining you of httpd.conf you will find Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all This effectively blocks you from sharing any directory (even aliased ones) unless the actual directory (no symlinks or aliases) is under /var/www. to add in exceptions put this under your alias statement. Alias /test /home/test Order allow,deny Allow from all From: centos-boun...@centos.org on behalf of Boris Epstein Sent: Fri 7/31/2009 9:17 AM To: centos@centos.org Subject: [CentOS] Apache not liking directories outside of /var/www Hi all, It appears that on my nice little CentOS 5.3 machines Apache only allows me to store content in directories which are under /var/www/ For instance, putting content in /var/www/test and defining the following alias: Alias /test /var/www/test then accessing it under http://hostname/test works great. Not copy that same content to /home/test, change the alias to: Alias /test /home/test and you get Error 403. Any idea why that would be? Never had this sort of trouble anywhere, including under CentOS 5.0 and 5.1 Thanks in advance for any and all help. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos <>___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
On Fri, Jul 31, 2009 at 12:50 PM, Jim Perrin wrote: > On Fri, Jul 31, 2009 at 12:35 PM, Boris Epstein wrote: > >> I found an even simplier solution - disabled SELinux. I've got a >> firewall and that is plenty. > > No. It's really not. If someone exploits apache, or php, they'll be > coming in via port 80 or 443 which your firewall has helpfully allowed > so that you can run your server. The vast majority of successful > penetrations I've seen are of two types. Brute ssh attacks, and > apache/php exloits. If you were running mod_security, that might be > slightly more analogous to selinux. I really don't recommend that > people disable selinux simply because they can't be bothered to learn > it. > > Real world reasons for selinux on web servers -> > http://www.linuxjournal.com/article/9176 > > > -- > During times of universal deceit, telling the truth becomes a revolutionary > act. > George Orwell > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I am running mod_security and also if the intruder gets to the shell level they will be able to bypass the SELinux entirely. I believe in security too but security should not be crippling. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
On Fri, Jul 31, 2009 at 12:35 PM, Boris Epstein wrote: > I found an even simplier solution - disabled SELinux. I've got a > firewall and that is plenty. No. It's really not. If someone exploits apache, or php, they'll be coming in via port 80 or 443 which your firewall has helpfully allowed so that you can run your server. The vast majority of successful penetrations I've seen are of two types. Brute ssh attacks, and apache/php exloits. If you were running mod_security, that might be slightly more analogous to selinux. I really don't recommend that people disable selinux simply because they can't be bothered to learn it. Real world reasons for selinux on web servers -> http://www.linuxjournal.com/article/9176 -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
On Fri, Jul 31, 2009 at 12:24 PM, Filipe Brandenburger wrote: > > Hi, > > On Fri, Jul 31, 2009 at 12:17, Boris Epstein wrote: > > Any idea why that would be? > > It's SELinux. Files exported by Apache must have context > httpd_sys_content_t. You can use "ls -Z" to see the context of a > certain file. You can use "chcon -R httpd_sys_content_t /home/test" to > change the context of all the files in the /home/test directory, > however that will not apply to new files created under that directory, > in which case you have to add new rules using "semanage fcontext" (see > the examples "man semanage" for help on how to do that). > > In general I would advise you to try to adapt your application so that > the files that need to be seen by Apache are under /var/www, if you > have that flexibility it will be simpler and have less chance of > breaking in the future. > > HTH, > Filipe > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I found an even simplier solution - disabled SELinux. I've got a firewall and that is plenty. Thanks a lot, Filipe! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
--On Friday, July 31, 2009 1:24 PM -0400 Filipe Brandenburger wrote: > In general I would advise you to try to adapt your application so that > the files that need to be seen by Apache are under /var/www, if you > have that flexibility it will be simpler and have less chance of > breaking in the future. IIRC, there's a policy and boolean to allow users to have web content in ~/public_html. If one has stuff in other locations (say, /usr/share/someapp/webcontent or /opt/someapp/webcontent), one could use a loopback mount to attach it to a subdirectory of /var/www. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache not liking directories outside of /var/www
Hi, On Fri, Jul 31, 2009 at 12:17, Boris Epstein wrote: > Any idea why that would be? It's SELinux. Files exported by Apache must have context httpd_sys_content_t. You can use "ls -Z" to see the context of a certain file. You can use "chcon -R httpd_sys_content_t /home/test" to change the context of all the files in the /home/test directory, however that will not apply to new files created under that directory, in which case you have to add new rules using "semanage fcontext" (see the examples "man semanage" for help on how to do that). In general I would advise you to try to adapt your application so that the files that need to be seen by Apache are under /var/www, if you have that flexibility it will be simpler and have less chance of breaking in the future. HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
