[BBLISA] Dual access to files by webserver and user.

David Allan dave at dpallan.com
Tue Nov 15 16:05:43 EST 2011


The more I watch this thread the more I agree with the people who are 
advocating selinux.  This is really exactly the kind of thing that selinux 
was designed to handle, and it results in a more, not less, secure system. 
I realize selinux is slightly scary at first view, but I've found it to be 
not too bad to work with after a few hours of study.

Dave


On Tue, 15 Nov 2011, Alex Aminoff wrote:

>
> About a decade ago I do recall solving a similar problem by running
> apache as root and using some sort of setuid capability such that apache
> would become the user in question, and thus have all of their
> permissions. This approach was strongly discouraged since it opens up
> your system to anyone who can find a security hole in apache. Perhaps it
> could be made slightly safer if apache was run inside a chroot jail of
> some sort that included homedirs but not the rest of the system?
>
> Documentation for mod_suid says "thus you have to compile and configure
> Apache2 with -DBIG_SECURITY_HOLE option". I chuckled.
>
> As an alternative to running all of apache as root, you could
> setuid-enable just those functions that need to be done by the user.
> Still dangerous though.
>
>  - Alex
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>



More information about the bblisa mailing list