| 1 |
On Tue, 2005-04-12 at 09:58 +0300, petre rodan wrote: |
| 2 |
> I did reply to your question a few hours back :/ |
| 3 |
> |
| 4 |
> Jon Howard wrote: |
| 5 |
> > Hello, |
| 6 |
> > I have a Gentoo SE system up and running as per the handbook(X86), |
| 7 |
> > but I cannot get apache to execute cgi's in enforcing mode(the test ones |
| 8 |
> > that come with apache). The scripts do work in permissive. Before I |
| 9 |
> > got started in examing the apache.te file, I was wondering if I might |
| 10 |
> > have an apache configuration issue. I guess the first question that I |
| 11 |
> > have is whether perl or php scripts run in enforcing mode in the |
| 12 |
> > hardened gentoo environment "out of the box?" I installed the perl and |
| 13 |
> > php mods for apache, and changed the startup to include the -D option |
| 14 |
> > for these, but in studying the SE model, I was afraid that some other |
| 15 |
> > method for executing scripts might be in play. I removed the mods from |
| 16 |
> > the -D statup option, but I am still getting the same results. So, will |
| 17 |
> > it or won't it is my question. |
| 18 |
> |
| 19 |
> won't is the short answer. the long answer has been in your inbox when you wrote to the list. |
| 20 |
> the short conclusion is that some cgi scripts need a kitchen sink to be allowed. it's up to the user to allow it or not. |
| 21 |
> |
| 22 |
|
| 23 |
A good solution to this was something I was working on a while back with |
| 24 |
fastcgi. Basically rather than using mod_perl, mod_php and so on you'd |
| 25 |
use the cgi versions and use fastcgi. Fastcgi then, would read the |
| 26 |
context of the script being run (much like it does for UID already) and |
| 27 |
calculate a type transition for that script. It would then transition to |
| 28 |
that domain and run the script. This would effectively sandbox users |
| 29 |
cgi's, php, perl, etc from one another while also limiting it further |
| 30 |
from what apache has access to. |
| 31 |
|
| 32 |
Sadly I never finished this and don't really have time to work on it |
| 33 |
anymore. |
| 34 |
|
| 35 |
Joshua |
| 36 |
|
| 37 |
-- |
| 38 |
gentoo-hardened@g.o mailing list |
Archives