Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
To start out, let me show you an excerpt of a ls -la in my /var/www/html:
drwxrwxr-x+ root root ./
drwxr-xr-x root root ../
drwxrwx---+ apache licenseGrp encrypt/
I believe that the bottom line is that the (+) in my permissions is causing some really strange things to happen. Everywhere else on my machine (such as one level up in /var/www,) the (+) is absent, and things run as expected: everyone can read, but only root can write to the directory.
I could assume this is some sort of 'feature' in linux: Right now, everyone can write to /var/www/html even though that no one (spare 'root') should. It hasn't bothered me in the past, mostly because I didn't care. However, I need to get this figured out for many reasons (security mainly,) but also because:
I have a user 'license' which is the only authorized user on my system to create software licenses. I have a webpage set up where an authorized user can input license information, and in turn will run (EDIT:) `sudo -u license /home/license/encrypt`. (/EDIT) In theory, this 'encrypt' script will grab an unencrypted license file in /var/www/html/encrypt, encrypt it, and then overwrite it to that same directory. The problem is, user 'license' CANNOT write to that directory, even though it is part of webadminGrp! Not only that, but it cannot write to ANY directory in /var/www/html! On the other hand, I (user 'evlach') am also part of licenseGrp, and CAN write to the directory, as well as /var/www/html.
I could go on with the abnormalities, but I'll leave you with that to ponder. Does anyone have ANY insight as to what could be the ding-dong-deal?
I have a webpage set up where an authorized user can input license information, and in turn will run `sudo -l license /home/license/encrypt`.
For instance,
Quote:
Originally Posted by man sudo
-l The -l (list) option will list out the allowed (and forbidden)
commands for the user on the current host.
I think you wanted "-u" instead. The way you invoke it, sudo will just print a usage message to stderr, because you pass extra arguments beyond -l (namely, "license" and "/home/license/encrypt").
It won't do anything, and, as you observe correctly, not attempt writing into that directory with spaces in its name.
Maybe ls will explain under what circumstances it prints "+".
The rest of my directories are either user_u:object_r:httpd_sys_content_t or root:object_r:httpd_sys_content_t. I'm not quite sure what that means, I'll be looking into it.
My google-fu wasn't up to snuff, thanks for finding out about that access control list!
Theres a lot of stuff in there that I don't understand yet, I have a lot of researching to do. But all of this is putting me on the right track, thanks. If you have any more thoughts/hints, I'm all ears. I'll get to work on this and report back.
The rest of my directories are either user_ubject_r:httpd_sys_content_t or rootbject_r:httpd_sys_content_t. I'm not quite sure what that means, I'll be looking into it.
sorry i forgot to have you do a sestatus
also look in /etc/selinux/policies/ (or something close to that) and look at the httpd policy for selinux. If you want to test to see if it is selinux the fast way. edit /etc/selinux/config to say disabled instead of enabled and then reboot. That will disable selinux for a short time to test it. If it is not firewalled or sitting behind a firewall i would disconnect the network cable for that test just to be safer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.