LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-30-2007, 08:43 PM   #1
ericvlach
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Rep: Reputation: 0
strange permissions in /var/www/html, '+' sign


To start out, let me show you an excerpt of a ls -la in my /var/www/html:
drwxrwxr-x+ root root ./
drwxr-xr-x root root ../
drwxrwx---+ apache licenseGrp encrypt/

I believe that the bottom line is that the (+) in my permissions is causing some really strange things to happen. Everywhere else on my machine (such as one level up in /var/www,) the (+) is absent, and things run as expected: everyone can read, but only root can write to the directory.

I could assume this is some sort of 'feature' in linux: Right now, everyone can write to /var/www/html even though that no one (spare 'root') should. It hasn't bothered me in the past, mostly because I didn't care. However, I need to get this figured out for many reasons (security mainly,) but also because:

I have a user 'license' which is the only authorized user on my system to create software licenses. I have a webpage set up where an authorized user can input license information, and in turn will run (EDIT:) `sudo -u license /home/license/encrypt`. (/EDIT) In theory, this 'encrypt' script will grab an unencrypted license file in /var/www/html/encrypt, encrypt it, and then overwrite it to that same directory. The problem is, user 'license' CANNOT write to that directory, even though it is part of webadminGrp! Not only that, but it cannot write to ANY directory in /var/www/html! On the other hand, I (user 'evlach') am also part of licenseGrp, and CAN write to the directory, as well as /var/www/html.

I could go on with the abnormalities, but I'll leave you with that to ponder. Does anyone have ANY insight as to what could be the ding-dong-deal?

Thanks -Eric

I am running RedHet EL4, with SElinux enabled.

Last edited by ericvlach; 10-01-2007 at 05:13 PM.
 
Old 10-01-2007, 10:19 AM   #2
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
man pages

Quote:
Originally Posted by ericvlach View Post
I have a webpage set up where an authorized user can input license information, and in turn will run `sudo -l license /home/license/encrypt`.
For instance,
Quote:
Originally Posted by man sudo
-l The -l (list) option will list out the allowed (and forbidden)
commands for the user on the current host.
I think you wanted "-u" instead. The way you invoke it, sudo will just print a usage message to stderr, because you pass extra arguments beyond -l (namely, "license" and "/home/license/encrypt").

It won't do anything, and, as you observe correctly, not attempt writing into that directory with spaces in its name.

Maybe ls will explain under what circumstances it prints "+".

/Quigi
 
Old 10-01-2007, 11:01 AM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
The plus sign indicates that there is an ACL associated with the file. Found it while searching the net

guessing the selinux has something to do with it. since thats the only acl that i know of with rhel4

do a ls -lasZ and post the results so we can see the selinux permissions

Last edited by slimm609; 10-01-2007 at 11:03 AM.
 
Old 10-01-2007, 04:09 PM   #4
jeenam
Member
 
Registered: Dec 2006
Distribution: Slackware 11
Posts: 144

Rep: Reputation: 15
getfacl = view extended ACL's
 
Old 10-01-2007, 04:46 PM   #5
ericvlach
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Quigi View Post

I think you wanted "-u" instead.
/Quigi
Gosh, that was my typo... I do have -u in there, of course!

Slimm609 - here is ls -laZ:

drwxrwxr-x+ root root system_u:object_r:httpd_sys_content_t ./
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ../
drwxrwx---+ apache licenseGrp root:object_r:httpd_sys_content_t encrypt/

The rest of my directories are either user_u:object_r:httpd_sys_content_t or root:object_r:httpd_sys_content_t. I'm not quite sure what that means, I'll be looking into it.

My google-fu wasn't up to snuff, thanks for finding out about that access control list!

jeenam- here is getfacl of encrypt/:

# file: encrypt
# owner: apache
# group: licenseGrp
user::rwx
group::r-x
group:webadminGrp:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:webadminGrp:rwx
default:mask::rwx
default:other::r-x

Theres a lot of stuff in there that I don't understand yet, I have a lot of researching to do. But all of this is putting me on the right track, thanks. If you have any more thoughts/hints, I'm all ears. I'll get to work on this and report back.

Last edited by ericvlach; 10-01-2007 at 04:49 PM.
 
Old 10-01-2007, 06:27 PM   #6
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by ericvlach View Post

Slimm609 - here is ls -laZ:

drwxrwxr-x+ root root system_ubject_r:httpd_sys_content_t ./
drwxr-xr-x root root system_ubject_r:httpd_sys_content_t ../
drwxrwx---+ apache licenseGrp rootbject_r:httpd_sys_content_t encrypt/

The rest of my directories are either user_ubject_r:httpd_sys_content_t or rootbject_r:httpd_sys_content_t. I'm not quite sure what that means, I'll be looking into it.
sorry i forgot to have you do a sestatus

also look in /etc/selinux/policies/ (or something close to that) and look at the httpd policy for selinux. If you want to test to see if it is selinux the fast way. edit /etc/selinux/config to say disabled instead of enabled and then reboot. That will disable selinux for a short time to test it. If it is not firewalled or sitting behind a firewall i would disconnect the network cable for that test just to be safer.
 
Old 10-11-2007, 09:23 AM   #7
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 12.04, Fedora 17, Mint 16, Chakra
Posts: 3,618

Rep: Reputation: Disabled
In case you didn't know but might need it:

http://www.suse.de/~agruen/acl/linux-acls/online/

Last edited by JZL240I-U; 10-11-2007 at 09:25 AM.
 
  


Reply

Tags
acl, apache, permissions, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
adding index.html to /var/www/html not working dannyboy990 Linux - Newbie 1 09-30-2007 08:43 AM
index.html is not noticed in /var/www/html xviddivxoggmp3 Red Hat 1 04-23-2006 06:30 PM
help in /var/www/html/!! chidomen Linux - Newbie 4 01-13-2005 11:02 AM
user/group permissions for /var/www/html/ illtbagu Linux - Software 6 11-12-2003 05:29 AM
chmod of /var/www/html alTereD Linux - Security 1 12-16-2002 02:43 PM


All times are GMT -5. The time now is 05:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration