LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-25-2006, 09:20 PM   #1
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Rep: Reputation: 15
FollowSymLinks and SELinux enabled


in my web folder "/var/www/html/private" I have a sym link to a fat32 partition. with httpd SELinux enabled, I do not see the link when I try to access it through my web browser. But with turning off SELinux for httpd daemon

Code:
/usr/sbin/setsebool -P httpd_disable_trans 1
I was able to see/reach the sym link....how can I have both working at the same time??!!!

FAT32 is owned by root and I do not think it is possible to change the permission...correct me if i'm wrong....

thnx in advance...
 
Old 02-26-2006, 01:05 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
First, fix the permissions on how the FAT32 partition is mounted using the umask option in the mount command. Give "group" and "other" read permissions on the mounted disk. Alternatively you can set the UID. See the "mount" manpage for the syntax.

If that still doesn't help try directly specifying the SELinux context for the file system when you mount the FAT partition using:
mount -t vfat -o context=system_u:object_r:httpd_sys_content_t ...blah...blah
 
Old 02-26-2006, 01:21 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You might also need to change the context on the link itself. For that you can use the chcon command (chcon -t httpd_sys_content_t /path/to/link).
 
Old 02-26-2006, 04:37 PM   #4
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Capt_Caveman
First, fix the permissions on how the FAT32 partition is mounted using the umask option in the mount command. Give "group" and "other" read permissions on the mounted disk. Alternatively you can set the UID. See the "mount" manpage for the syntax.

If that still doesn't help try directly specifying the SELinux context for the file system when you mount the FAT partition using:
mount -t vfat -o context=system_ubject_r:httpd_sys_content_t ...blah...blah
this is how it looks like

Code:
/dev/hda5               /mnt/fat32              vfat    umask=000 0 0
can you give me the exact command??
 
Old 02-26-2006, 04:40 PM   #5
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Capt_Caveman
You might also need to change the context on the link itself. For that you can use the chcon command (chcon -t httpd_sys_content_t /path/to/link).
by doing this

Code:
chcon -t httpd_sys_content_t sym_link_to_fat32
now I see the symbolic link...but when i click on it...i reach a blank page...so i tried the same command on the fat32 partition but did not help!!! so shall i mount it using the command you mentioned earlier??!!!

thnx

Last edited by piforever; 02-26-2006 at 04:41 PM.
 
Old 02-27-2006, 01:15 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Linux handles FAT filesystems in such a way that they don't have the same type of extended attributes as other types of filesystems that have selinux support (like ext2). So it's not suprising that the chcon command didn't work. Out of curiousity, did you try to use the chcon command on the entire mounted partition or just on the file that the symlink pointed to? If you tried doing the *entire* partition, using the -R (recursive) option may have helped (chcon -R -t httpd_sys_content_t /path/to/vfat/target_dir).

If neither of those worked, you may need to use the mount command with the -o option:
Code:
 mount -t vfat -o context=system_u:object_r:httpd_sys_content_t /dev/hda5 /mnt/fat32
Make sure that it has been unmounted before trying to remount.

Syntax for mounting with non-root read permissions would be:
Code:
mount -t vfat -o umask=133 /dev/hda5 /mnt/fat32
Which should give rw-r--r-- permissions to the mounted filesystem
 
Old 02-27-2006, 01:43 PM   #7
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thank you very much....

this code
Code:
mount -t vfat -o context=system_u:object_r:httpd_sys_content_t /dev/hda5 /mnt/fat32
sorted my problem....and it seems we do not need to use this code on the symbolic link
Code:
chcon -t httpd_sys_content_t sym_link_to_fat32
but now how can i include it in "/etc/fstab"...ths old format was
Code:
/dev/hda5               /mnt/fat32              vfat    umask=000 0 0
so the new one will be??!!

ThnX

EDIT

It seems the symbolic link to the partition we just mounted is not writable!!! How can we make it writable??

Last edited by piforever; 02-27-2006 at 01:46 PM.
 
Old 02-27-2006, 05:06 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Just combine the 2 mount commands into a single command (basically just include the umask option along with the context= option). You'll need to change the umask setting depending on what type of write permissions you want to give. Note that you need to be really carefull when giving write permissions to the Apache daemon. If it's ever compromised, the attacker will be able to upload to that part of the filesystem. So you need to ask yourself whether Apache *really* needs to write there and make sure that sensitive files like password or config files as well as other binaries don't live there. You may also want to change the ownership of those files if you plan on giving write-permissions to non-root users (to do so, use the "uid=apache" option in the mount command).

I haven't tried setting the selinux context in fstab, but you should be able to. The fstab entry would look something like:
Code:
/dev/hda5     /mnt/fat32       vfat   umask=133,context=system_u:object_r:httpd_sys_content_t 0 0
Change umask value to include whatever write permissions you need (remember umask value will be: 777-(actual permissions you want). You can also include the "uid=" option as well if you want to change the ownership. Post back with your final fstab entry just to make sure that it's secure.
 
Old 02-27-2006, 06:58 PM   #9
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thanx....

My entry now looks like this and it works....
Code:
/dev/hda5   /mnt/fat32  vfat  umask=000,context=system_u:object_r:httpd_sys_content_t 0 0
I picked umask=000 since I want to be able to access the partition using my web browser and download the stuff to my PC....and I have a java script that continously writes to the partition (i.e. fat32). The owner of that script is not "root".

Is there a more secure way to do that??? Or is it possible to limit access to that particular partition to certain IPs??!! I'm thinking of doing that using the .htaccess file...altho this will not prevent a hacker to access that partition if my system got compromised...


Can I have your advice regarding this issue??
http://www.linuxquestions.org/questi...94#post2126994

Last edited by piforever; 02-27-2006 at 07:24 PM.
 
Old 02-27-2006, 11:09 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I would definitely not put 777 permissions (umask 000) on anything accessible to the Apache daemon. A better solution might be to take the user that the Java script runs under and make it part of a group. Then give that group write permissions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is selinux? mesh2005 Linux - General 2 01-04-2006 12:33 PM
apache config problem with otto, FollowSymLinks legolin Linux - Software 1 05-16-2005 08:21 PM
selinux.h ? DJ Shaji Red Hat 1 03-26-2005 01:57 PM
Sendmail won't work with SELinux enabled? jimwillsher Linux - Security 1 03-15-2005 09:16 AM
Selinux tessx Linux - General 3 05-22-2004 01:46 AM


All times are GMT -5. The time now is 02:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration