LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-08-2006, 06:05 AM   #1
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Rep: Reputation: 30
Default UID / GID / Security Context for httpd root directory


I am running appache httpd-2.0.54-10.3 on a Fedora Core 4 with SELinux enabled. As root, I just installed some new files on my server. I was surprised to notice that the files had their permissions set like this:
-rw-r--r-- 1000 users rootbject_r:httpd_sys_content_t some_file.php

This is not the default apache user and I am not familiar with this user / group. What should be the default settings for a file I untar as root in my httpd root directory? For example, is their a safe command that I could use to conveniently like chcon -t httpd_sys_content_t /var/www/html/*

To troubleshoot this problem on my own, I did the following:

I did a find / -uid 1000 > 1000.txt. My results included an error message like this

Quote:
find: WARNING: Hard link count is wrong for /: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
Except for this error message, these files returned were all created in the account where I am allowed to login into my box and then su as root (no remote root logins are allowed). The UID, however, is not the UID of the user that is able to login (as I expected) and I know that root's ID is 0.

I did searched for this UID like this:
cat /etc/passwd |grep "/bin/bash" |grep "[0-9][0-9][0-9][0-9]" |cut -d: -f1

It returned my allowed login user.

cat /etc/passwd |grep "1000" |grep "[0-9][0-9][0-9][0-9]" |cut -d: -f1

It returned no results.

Any help would be appreciated.

Last edited by rioguia; 05-08-2006 at 06:06 AM.
 
Old 05-09-2006, 12:26 PM   #2
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

Fedora 4 and RHEL4 both come configured for Security Enhanced Linux (SELinux) out of the box. SELinux offers much greater security than standard Linux permissions but it's more of a pain to set up as well. It also uses different users than the standard Linux versions. Both permissions have to allow something to happen or it can't. So if SELinux says you can read and standard Linux permissions says you can read/write you can only read. SELinux uses mandatory access controls and runs almost all services in sandboxes. It offers a ridiculous amount of permissions you can set and you can set permissions on processes that spawn so they have their own access rights even after being started by another service. Almost like passing it off. I don't however know enough about SELinux to really help you out, but outside of servers I don't believe it's necessary.

Last edited by HGeneAnthony; 05-09-2006 at 12:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is uid and gid rmanocha Linux - Software 9 08-18-2008 11:03 PM
Shell Script :- to get UID and GID furquan Programming 30 02-21-2006 07:44 AM
What is my uid/gid? Jeebizz Slackware 2 11-22-2005 11:39 AM
default security context jkmartha Linux - Newbie 1 08-03-2005 06:51 PM
changing uid, gid zeke1955 Linux - General 4 01-09-2004 11:53 PM


All times are GMT -5. The time now is 06:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration