1 |
On Tue, 2005-04-12 at 09:58 +0300, petre rodan wrote: |
2 |
> I did reply to your question a few hours back :/ |
3 |
> |
4 |
> Jon Howard wrote: |
5 |
> > Hello, |
6 |
> > I have a Gentoo SE system up and running as per the handbook(X86), |
7 |
> > but I cannot get apache to execute cgi's in enforcing mode(the test ones |
8 |
> > that come with apache). The scripts do work in permissive. Before I |
9 |
> > got started in examing the apache.te file, I was wondering if I might |
10 |
> > have an apache configuration issue. I guess the first question that I |
11 |
> > have is whether perl or php scripts run in enforcing mode in the |
12 |
> > hardened gentoo environment "out of the box?" I installed the perl and |
13 |
> > php mods for apache, and changed the startup to include the -D option |
14 |
> > for these, but in studying the SE model, I was afraid that some other |
15 |
> > method for executing scripts might be in play. I removed the mods from |
16 |
> > the -D statup option, but I am still getting the same results. So, will |
17 |
> > it or won't it is my question. |
18 |
> |
19 |
> won't is the short answer. the long answer has been in your inbox when you wrote to the list. |
20 |
> the short conclusion is that some cgi scripts need a kitchen sink to be allowed. it's up to the user to allow it or not. |
21 |
> |
22 |
|
23 |
A good solution to this was something I was working on a while back with |
24 |
fastcgi. Basically rather than using mod_perl, mod_php and so on you'd |
25 |
use the cgi versions and use fastcgi. Fastcgi then, would read the |
26 |
context of the script being run (much like it does for UID already) and |
27 |
calculate a type transition for that script. It would then transition to |
28 |
that domain and run the script. This would effectively sandbox users |
29 |
cgi's, php, perl, etc from one another while also limiting it further |
30 |
from what apache has access to. |
31 |
|
32 |
Sadly I never finished this and don't really have time to work on it |
33 |
anymore. |
34 |
|
35 |
Joshua |
36 |
|
37 |
-- |
38 |
gentoo-hardened@g.o mailing list |