/tmp

John Van Ostrand john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
Mon May 29 13:35:55 UTC 2006


On Thu, 2006-05-25 at 20:09 -0400, Scott C. Ripley wrote:

> hey all,
> 
> anyone get hassled by:
>   - some web app is able to write to /tmp as nobody
>   - able to run file as nobody user (say via perl) even with noexec on the
>     partition  (because perl simply reads/executes the file in /tmp)
> 
> some googling suggests it's going around... with suggestions like:
>   - have separate /tmp partition  (with noexec option on partition)
>   - disable certain PHP functions (via php.ini)
>   - (keep all your installed webapps patched/updated/etc.)
>   - etc.
> 
> still a pain though... if anybody has a sure fire way to fight this... let me 
> know?


Selinux is supposed to prevent this exact type of thing. It's
complicated and needs careful crafting to make it suit web
applications. 

In case you haven't heard of SeLinux, it's the NSA's contribution to
Linux security. Essentially it's a firewall for system calls. One person
who presented it to me said "There are two types of users on a Linux
system. Users that can do everything, such as root, and users who can do
almost everything." SElinux can control what users and applications can
do. For example should you allow your httpd process to open ports other
than 80 and 443?

I want to start using SElinux but every chance I get, I don't have
enough time. I figure it will take lots of getting used to.

-- 
John Van Ostrand
         Net Direct Inc.
 
Chief Technology Officer
564 Weber St. N. Unit 12
   Waterloo, ON N2L 5C6 
 map 
john-Da48MpWaEp0CzWx7n4ubxQ at public.gmane.org
        Ph: 519-883-1172
 ext.5102
Linux Solutions / IBM
Hardware
        Fx: 519-883-8533
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20060529/73cfbaee/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://gtalug.org/pipermail/legacy/attachments/20060529/73cfbaee/attachment.sig>


More information about the Legacy mailing list