Why do I need SELinux?
Peter Arremann
loony at loonybin.org
Sun Feb 20 18:13:15 UTC 2005
On Sunday 20 February 2005 12:35, David Cary Hart wrote:
> On Sun, 2005-02-20 at 22:52 +0530, Rahul Sundaram wrote:
> > controlling CGI scripts for example
>
> I read the FAQ. You still haven't provided an example of precisely what
> I could suffer by not using SEL. Controlling CGI isn't an example, it's
> just an FAQ topic.
>
> Everything that you do on a server is a trade off in one form or
> another. In this case, it's resources and complexity for greater
> security. Until I fully understand the benefit, I won't endure the
> costs. Ultimately, I'll get a handle on SELinux and then make an
> INFORMED decision. I'm certainly not motivated to use something because
> it's there or because someone else thinks that I should.
I think you're looking at it from the wrong angle. SELinux is a safety net.
In a perfect world, you would spend all your time setting up SELinux and
_never_ need it. It only has a value when your application does something it
not supposed to.
Lets say I've got a beginner writing a webfrontend... The example I'm giving
is from when the web was first conceived and everyone was a beginner... A
friend of mine wanted to write a few scripts to do certain things - and he
did a shortcut.. saved him a lot of coding by passing the actual command
around...
html page:
<form action="/cgi-bin/do.sh" method=get>
<select name=cmd>
<option value="id">ID</option>
<option value="date">Date</option>
</select>
<input type=submit>
cgi-script:
#!/bin/bash
echo "Content-Type: text/plain";
echo
`echo $QUERY_STRING | cut -b 5-`
This example works - but at the same time its extremely dangerous... as soon
as you pass a parameter by hand, you can make this script do anything you
want. I can't make it any more obvious why this is a bad idea...
Anyway, in this script I can return the user name and passwords - and then
crack them offline and log into your box without issues. Of course noone will
write anything that is so obviously wrong but there are way too many cases
where a less obvious script basicly gives you the same control.
This is where SELinux comes in. If you configure SELinux correctly, no matter
what input you pass in, you can limit the damage you can do... Again, its a
safety net - use it as that. I personally have it disabled on most machines
as well - but I'm not boneheadded enough to say it has no value :-D
Peter.
More information about the fedora-list
mailing list